Bug#930060: RM: libcpan-meta-perl -- ROM; Obsoleted by perl

[Dominic Hargreaves]

Package: ftp.debian.org
Severity: normal

Perl #915876 and the pkg-perl policy[1] please remove libcpan-meta-perl.

[1] 

Bug#912682: e: Bug#912682: usefulness of this package?

[Dominic Hargreaves]

On Fri, Dec 14, 2018 at 03:00:10AM +0100, gregor herrmann wrote:
> On Thu, 13 Dec 2018 21:25:58 +0000, Dominic Hargreaves wrote:
> 
> > > Ok but I don't see how this bug differs from #915550 and #915876 for both
> > > of which the intent seems to remove the corresponding packages.
> > > 
> > > Shouldn't this package also be considered for removal?
> > 
> > Perhaps. We usually leave it a while in case it is upgraded, as the cost
> > of having around for "a while" in unstable only is judged cheaper than
> > the extra work needed to remove it and then reintroduce it. I think this
> > is mostly a matter of personal opinion and we don't have a firm policy
> > on this, but I'm sure other list members will correct me if I'm wrong.
> 
> This matches my impression of our habits as well.
> 
> I'd just like to add that the "maintenance cost" can be zero (no
> releases, no bugs, no nothing) or can be high (e.g. breakage with
> each new perl release) or anything in between. And our habit seems to
> be that if there's no or hardly any work needed there's also no
> particular need to trigger the removal steps.

Per our new policy[1], we'll remove this after July if no new
upstream update appears.

[1] <https://perl-team.pages.debian.net/policy.html#Dual-lived_Modules>

Bug#912682: e: Bug#912682: usefulness of this package?

[Dominic Hargreaves]

On Fri, Dec 14, 2018 at 03:00:10AM +0100, gregor herrmann wrote:
> On Thu, 13 Dec 2018 21:25:58 +0000, Dominic Hargreaves wrote:
> 
> > > Ok but I don't see how this bug differs from #915550 and #915876 for both
> > > of which the intent seems to remove the corresponding packages.
> > > 
> > > Shouldn't this package also be considered for removal?
> > 
> > Perhaps. We usually leave it a while in case it is upgraded, as the cost
> > of having around for "a while" in unstable only is judged cheaper than
> > the extra work needed to remove it and then reintroduce it. I think this
> > is mostly a matter of personal opinion and we don't have a firm policy
> > on this, but I'm sure other list members will correct me if I'm wrong.
> 
> This matches my impression of our habits as well.
> 
> I'd just like to add that the "maintenance cost" can be zero (no
> releases, no bugs, no nothing) or can be high (e.g. breakage with
> each new perl release) or anything in between. And our habit seems to
> be that if there's no or hardly any work needed there's also no
> particular need to trigger the removal steps.

Per our new policy[1], we'll remove this after July if no new
upstream update appears.

[1] <https://perl-team.pages.debian.net/policy.html#Dual-lived_Modules>

Accepted libemail-address-perl 1.908-1+deb9u1 (all source) into proposed-updates->stable-new, proposed-updates

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 07 Feb 2019 15:02:13 +
Source: libemail-address-perl
Binary: libemail-address-perl
Architecture: all source
Version: 1.908-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Perl Group 
Changed-By: Dominic Hargreaves 
Description: 
 libemail-address-perl - Perl module for RFC 2822 address parsing and creation
Changes:
 libemail-address-perl (1.908-1+deb9u1) stretch; urgency=medium
 .
   * Team upload.
   * [SECURITY]: Fix DoS vulnerabilities CVE-2015-7686 and CVE-2018-12558
Checksums-Sha1: 
 15230f3c3e1f9e804f5d01a5ed71c5d56d9ec524 2278 
libemail-address-perl_1.908-1+deb9u1.dsc
 85d2bc06e462ac360742d2ddef17f53e6cdaeaef 5592 
libemail-address-perl_1.908-1+deb9u1.debian.tar.xz
 fd4bc778b9a440ee573eaa0b6a886a6917a80afb 5743 
libemail-address-perl_1.908-1+deb9u1_source.buildinfo
 3f0026e71a6ba9631b86780b6da30533a37e501d 29878 
libemail-address-perl_1.908-1+deb9u1_all.deb
 c4486f32fce5e134ee729c36011172265b62d2f1 4741 
libemail-address-perl_1.908-1+deb9u1_amd64.buildinfo
Checksums-Sha256: 
 6f4e17032cac71bdaf792d576af28f824be5a9cd8819a9f6f0446320c3516d23 2278 
libemail-address-perl_1.908-1+deb9u1.dsc
 cd014576e9186427582bf7ee5f5de9df126ee29dc66f97395398315be7226464 5592 
libemail-address-perl_1.908-1+deb9u1.debian.tar.xz
 3531e69b0195e09414c809f38e19e0d02e29faf3ef9fe1876232966fc645cf44 5743 
libemail-address-perl_1.908-1+deb9u1_source.buildinfo
 a2e3a8e4fa46f8498d8464df6b704bfd971c87a334fd124344e2bd270544f6d5 29878 
libemail-address-perl_1.908-1+deb9u1_all.deb
 db295a8d86fbbe0eed24226667101bdcc5f1b550cf725a2b58bba4b58388e11e 4741 
libemail-address-perl_1.908-1+deb9u1_amd64.buildinfo
Files: 
 c9eaa001e2eae9528d7921482ecd1b73 2278 perl optional 
libemail-address-perl_1.908-1+deb9u1.dsc
 dbc2882f1fff8facab34d87e47d7f988 5592 perl optional 
libemail-address-perl_1.908-1+deb9u1.debian.tar.xz
 1731f5c8dd48fd067181d96363f4848b 5743 perl optional 
libemail-address-perl_1.908-1+deb9u1_source.buildinfo
 a96aa2388466f195811ad9e6b7348f14 29878 perl optional 
libemail-address-perl_1.908-1+deb9u1_all.deb
 4eb8502ad59881f25bf439d139e1a254 4741 perl optional 
libemail-address-perl_1.908-1+deb9u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlxdnQ8NHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPshKpD/9qIXj7BTYF4VTR6nRpACs5hACtwAadkRBQmHU1
CX50uIv1AacTxKINSWSNOtk4tPXeyJu86/SkS28KmuSqFGqnrd6qdGMvtUdB3kVo
uLIJ40/QL9pVJ8bS6i2hBivw0xbV4JS7dKtJ5LFSOVVVx+CU3dIF0BAuWjTuR93Y
eRr4UgiQYinu39+9iDcOFDGoWUfqoE8Bgzu+RtM8kbARhWvWWIKamlSXlLVFpMdT
bHDxmQmUvloyCJ8kB7UBr77HykO6lVUmjZp0HT4+TatvLIv/kSEShecg+8RzA+ID
BsqK8yVucyXv+7oxNkiavrLJTmn2FAhcNkYe4K5RdWCVLIv2NLmJtz6F254gZhcm
eR0+sgDSyuR9YfN9VfJUzhS7cqXJQ/FJUmh2dc9jsnVmpj7xVj2X0k57XsSdoPN+
aK0eKh6SnYqmczVRjYaIBsw89TBo3EYW2KhAaUqFfeZF9jLnhCqsUocvGGpQwRCf
zo8IHUGrbZo7Nv7+hMf+dUc7LL5QnolLnO7f2ahd7dyHAvND20BvAdDzqOiVtUK9
imtmLhkP9/Y4IBvDX+PR7TRRxgkY6TzyVTa+KhMP82etlkl+xWdmSNoXBT+banip
t2iSRBOjOkc5BddOzxGjCsoh29mD0UBYQ9D7NwZEgpQVLhZXD7GCFn9MAKrmLduO
M4V0IQ==
=OJMe
-END PGP SIGNATURE-

Accepted libemail-address-list-perl 0.05-1+deb9u1 (all source) into proposed-updates->stable-new, proposed-updates

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 08 Feb 2019 15:21:37 +
Source: libemail-address-list-perl
Binary: libemail-address-list-perl
Architecture: all source
Version: 0.05-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Perl Group 
Changed-By: Dominic Hargreaves 
Description: 
 libemail-address-list-perl - RFC close address list parsing
Changes:
 libemail-address-list-perl (0.05-1+deb9u1) stretch; urgency=medium
 .
   * [SECURITY] Fix DoS vulnerability CVE-2018-18898
Checksums-Sha1: 
 5673a095d611ccebcf8a29b34d3bbb2bf1bc8aab 2292 
libemail-address-list-perl_0.05-1+deb9u1.dsc
 92ab18d3b4dd3874cb38c4402588e316496d9246 3092 
libemail-address-list-perl_0.05-1+deb9u1.debian.tar.xz
 c160db27c7aa394b3182f47141c8e38990f713ff 5764 
libemail-address-list-perl_0.05-1+deb9u1_source.buildinfo
 803f6f0086d659627c68e8fb362c49ca65f261be 9906 
libemail-address-list-perl_0.05-1+deb9u1_all.deb
 30094d62791c2cc7d2f29df3b79238879a3239f3 4830 
libemail-address-list-perl_0.05-1+deb9u1_amd64.buildinfo
Checksums-Sha256: 
 9a51e2e2666e70206387edaeefcaed51f9f9881885bc5c1ab900eb9de2d9d737 2292 
libemail-address-list-perl_0.05-1+deb9u1.dsc
 f3af128e4df657898742c274512972e72f9121dc22d8e5f988d1d36d97bf9b63 3092 
libemail-address-list-perl_0.05-1+deb9u1.debian.tar.xz
 536689981bfe359ab1eaa855b936e9df44e070c628b22fce7d3def9130652bbc 5764 
libemail-address-list-perl_0.05-1+deb9u1_source.buildinfo
 33cbf046cf7710e1678ade5e7a0f3af54b280fe9e2d0d873ca3e0db3627a5305 9906 
libemail-address-list-perl_0.05-1+deb9u1_all.deb
 0ce7eb2b5b5092d815ac48bfc123c316ac4acd01c70e98836ac73b9bcd2f7e77 4830 
libemail-address-list-perl_0.05-1+deb9u1_amd64.buildinfo
Files: 
 3c268c06db9092d0eb3046d5d554c60a 2292 perl optional 
libemail-address-list-perl_0.05-1+deb9u1.dsc
 85655828b49bc2dbd4f4869982d8237b 3092 perl optional 
libemail-address-list-perl_0.05-1+deb9u1.debian.tar.xz
 61904dc47d8f353288a89694a01cd8cb 5764 perl optional 
libemail-address-list-perl_0.05-1+deb9u1_source.buildinfo
 7ac014e63b9f7ab3bdbdd0c597e956a6 9906 perl optional 
libemail-address-list-perl_0.05-1+deb9u1_all.deb
 b5cd535f76338c5129992178c75b2fb5 4830 perl optional 
libemail-address-list-perl_0.05-1+deb9u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlxdn3INHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsoA1EADx7V6Vs29qtQJeAVKGooQhooKfJ0LuXJ+g7jKx
qbEuI6HCkuRl2WjoZi3my1ghov4sh7ZiY0eGKEaSG1h50ztt0Oo9QHZQwIBduWJe
PL3OrqJpSDGIKnRjJ/rJjtAJS0Gf8U34IPayAeIC/5Jc/nvg0ZM1IYZjXYDg+Cg3
VHud2mJVQf/hZTRJ8CrsR8zTKjJBo26k3vUeoXZCtzYsuLoTse4vAamBorz3DVs5
mEwRSg3INAx3GF2pHwf8rIvHUkIhNrtHvutJXUgnVe/UVfgtF9UWFuCk3oKMCNzI
rqviHIRAwSKTcQYdl01RY/hp+SdOAghyRuoWj22a8pDTZHW8ZTFwgC1D9r+15sEA
k9gWo1HxhBfhd9xCMjSf+ew+H1hytbPilNn2VnhzrpsQLIr1fDNDGoT2vGwesY2m
PsbG/8S8ru2ru+hEt8So1jE4hjgjcFpoMXz/1afs3f4P1hawq3kUuhgUms7EbXhY
sXZoqg0wEzNr7nuGps1IbbGdTqohNuzi11UGFK0ObikwSfTNJqCurTTORQDdnU0c
khQPAy81uP9iM4smRyVALr3ixJgoKmVJPELzhKpLJDH8hUoSg0TBDFJAaBmEgcGv
f4sXmnTbEU/iq8J639wY9w8AyhjWvwsdw5TXJRtYaWPqbkLwqTQvLyB4BUltS0NW
J/yemA==
=xQZZ
-END PGP SIGNATURE-

Accepted request-tracker4 4.4.3-2 (source) into unstable

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 08 Feb 2019 17:50:03 +
Source: request-tracker4
Binary: request-tracker4 rt4-clients rt4-standalone rt4-fcgi rt4-apache2 
rt4-db-postgresql rt4-db-mysql rt4-db-sqlite rt4-doc-html
Architecture: source
Version: 4.4.3-2
Distribution: unstable
Urgency: high
Maintainer: Debian Request Tracker Group 

Changed-By: Dominic Hargreaves 
Description:
 request-tracker4 - extensible trouble-ticket tracking system
 rt4-apache2 - Apache 2 specific files for request-tracker4
 rt4-clients - mail gateway and command-line interface to request-tracker4
 rt4-db-mysql - MySQL database backend for request-tracker4
 rt4-db-postgresql - PostgreSQL database backend for request-tracker4
 rt4-db-sqlite - SQLite database backend for request-tracker4
 rt4-doc-html - HTML documentation for request-tracker4
 rt4-fcgi   - External FastCGI support for request-tracker4
 rt4-standalone - Standalone web server support for request-tracker4
Closes: 920744
Changes:
 request-tracker4 (4.4.3-2) unstable; urgency=high
 .
   * Add missing dependencies on libcpanel-json-xs-perl (Closes: #920744)
Checksums-Sha1:
 09cf8fb13567a7750203c4f3f8aa5c7861e63e6a 5510 request-tracker4_4.4.3-2.dsc
 cdb6a32a6e437c547466a5f444fcc1b9cf7a7ba3 77648 
request-tracker4_4.4.3-2.debian.tar.xz
 902f89d7d5c07e31d96462ee9cd94fc5b53af739 19263 
request-tracker4_4.4.3-2_source.buildinfo
Checksums-Sha256:
 d2312697782a7c9d0e01bbf6eed9b14b6d6e39dd57ce70a9e37dd876b7a6aa4b 5510 
request-tracker4_4.4.3-2.dsc
 1227aed1c374fec9d142435404a0560b5d76b04beb6f220672a14c5e28b08acc 77648 
request-tracker4_4.4.3-2.debian.tar.xz
 ba9552298772ba44ac3b20d06e6cebe474a6125d63fbc5b2b09d320b7150b7fb 19263 
request-tracker4_4.4.3-2_source.buildinfo
Files:
 2b0971525bb11a262698604a01852da3 5510 misc optional 
request-tracker4_4.4.3-2.dsc
 9b8a5abd816d0868f1b1cb218fa1b8da 77648 misc optional 
request-tracker4_4.4.3-2.debian.tar.xz
 1f5855568e26a4772cd779b95994c0c1 19263 misc optional 
request-tracker4_4.4.3-2_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlxdxHkNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsht/D/0UEBs6YvVf32G9bybw/npr/kBbJbImAhEyd5Ei
oS2WFWtlricub0LdV5w8SZkFMoRrDVA5mUKGwqY0lMxhrbBVtoayv4gHqBzLsZqT
Mdg5Bz58s1H/XY2LGfxuJhRWA+0yBrvr4aS+DRpCl6ur1TYtLvVFrcHcCU9efL+8
E0Z7ud5ELXLBsqGcKH7BbqM1EYvHrxuGamVFbTVQY6qkYVaou75U9SWrRJ3Aj1Cd
2MMs7xopFG3PeKtG/vYdi26xS1stsO1KNwrCTSq8OTC3mBWRtCGDpf4Nl+o8yPQb
rco9gfL3whfD6I35ZIxPIxB+nwirNpY0bOngNrfUrCRx8kUoPuxunQM6g3+fV/Ay
Rqa4VyJxubcvRPIIzXE1flVyfjOjmOOIg648C5h+XMPewzCLCYh9ZpkjGpDXZ+Hp
aQsNYbdGPDqg7RzBlCv4Lz2njEze/2iX+EvY9q7N67Roz+L8BGpOEwwqw7foUeuK
rwdaLEUa32yi+NN5JxXzOUH7B8r9bhFrwRrL/h23PyYYtmExUhEf+ABF+POcKOsa
CiSvBTTCJ7pWR1TKZF+vHt/EV1rdjyPa3VYYfQTZA7dRJnz/6cwulmfLX/r031KB
QP+6vRfDmO5iY428raqBbvRiv/P6LJ52IBBq+tVNGbLUwQs99dVuGcsJZkjA0sNq
+W7Qig==
=QMsw
-END PGP SIGNATURE-

Bug#920744: Bug #920744 in request-tracker4 marked as pending

[Dominic Hargreaves]

Control: tag -1 pending

Hello,

Bug #920744 in request-tracker4 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/request-tracker-team/request-tracker4/commit/6ce499183eeff24d753a12e7ea57d2b4cb5c552d


Add missing dependencies on libcpanel-json-xs-perl (Closes: #920744)

I think missing this out from the previous commit was probably deliberate,
but based on flawed logic. It is safe and necessary to declare this
dependency to reflect the fact we are invoking it by name.


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/920744

Bug#921643: stretch-pu: package libemail-address-list-perl/0.05-1+deb9u1

[Dominic Hargreaves]

On Fri, Feb 08, 2019 at 12:47:28PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On 2019-02-07 15:28, Dominic Hargreaves wrote:
> > Fixes CVE-2018-18898 which is exposed by request-tracker4.
> > Candidate package deployed and working so far on a production system.
> 
> Please go ahead, bearing in mind that the window for 9.8 closes this
> weekend.

Uploaded.

Bug#921643: stretch-pu: package libemail-address-list-perl/0.05-1+deb9u1

[Dominic Hargreaves]

On Fri, Feb 08, 2019 at 12:47:28PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On 2019-02-07 15:28, Dominic Hargreaves wrote:
> > Fixes CVE-2018-18898 which is exposed by request-tracker4.
> > Candidate package deployed and working so far on a production system.
> 
> Please go ahead, bearing in mind that the window for 9.8 closes this
> weekend.

Uploaded.

Bug#921642: stretch-pu: package libemail-address-perl/1.908-1+deb9u1

[Dominic Hargreaves]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Fixes CVE-2015-7686 and CVE-2018-1255 which are exposed by request-tracker4.
Candidate package deployed and working so far on a production system.
diff -Nru libemail-address-perl-1.908/debian/changelog 
libemail-address-perl-1.908/debian/changelog
--- libemail-address-perl-1.908/debian/changelog2015-09-21 
16:58:06.0 +0100
+++ libemail-address-perl-1.908/debian/changelog2019-02-07 
15:02:13.0 +
@@ -1,3 +1,10 @@
+libemail-address-perl (1.908-1+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * [SECURITY]: Fix DoS vulnerabilities CVE-2015-7686 and CVE-2018-12558
+
+ -- Dominic Hargreaves   Thu, 07 Feb 2019 15:02:13 +
+
 libemail-address-perl (1.908-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru 
libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch 
libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch
--- 
libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch   
1970-01-01 01:00:00.0 +0100
+++ 
libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch   
2019-02-07 15:01:45.0 +
@@ -0,0 +1,125 @@
+Subject: Fixes for DoS vulnerabilities CVE-2015-7686 and CVE-2018-12558
+
+These are cherry-picked from 1.912, excluding packaging related changes
+
+diff --git a/lib/Email/Address.pm b/lib/Email/Address.pm
+index d169f6b..5d545e1 100644
+--- a/lib/Email/Address.pm
 b/lib/Email/Address.pm
+@@ -36,18 +47,18 @@ my $ctext  = qr/(?>[^()\\]+)/;
+ my ($ccontent, $comment) = (q{})x2;
+ for (1 .. $COMMENT_NEST_LEVEL) {
+   $ccontent = qr/$ctext|$quoted_pair|$comment/;
+-  $comment  = qr/\s*\((?:\s*$ccontent)*\s*\)\s*/;
++  $comment  = qr/(?>\s*\((?:\s*$ccontent)*\s*\)\s*)/;
+ }
+-my $cfws   = qr/$comment|\s+/;
++my $cfws   = qr/$comment|(?>\s+)/;
+ 
+ my $atext  = qq/[^$CTL$special\\s]/;
+-my $atom   = qr/$cfws*$atext+$cfws*/;
+-my $dot_atom_text  = qr/$atext+(?:\.$atext+)*/;
+-my $dot_atom   = qr/$cfws*$dot_atom_text$cfws*/;
++my $atom   = qr/(?>$cfws*$atext+$cfws*)/;
++my $dot_atom_text  = qr/(?>$atext+(?:\.$atext+)*)/;
++my $dot_atom   = qr/(?>$cfws*$dot_atom_text$cfws*)/;
+ 
+ my $qtext  = qr/[^\\"]/;
+ my $qcontent   = qr/$qtext|$quoted_pair/;
+-my $quoted_string  = qr/$cfws*"$qcontent*"$cfws*/;
++my $quoted_string  = qr/(?>$cfws*"$qcontent*"$cfws*)/;
+ 
+ my $word   = qr/$atom|$quoted_string/;
+ 
+@@ -63,15 +74,15 @@ my $word   = qr/$atom|$quoted_string/;
+ # So we disallow the hateful CFWS in this context for now.  Of modern mail
+ # agents, only Apple Web Mail 2.0 is known to produce obs-phrase.
+ # -- rjbs, 2006-11-19
+-my $simple_word= qr/$atom|\.|\s*"$qcontent+"\s*/;
+-my $obs_phrase = qr/$simple_word+/;
++my $simple_word= qr/(?>$atom|\.|\s*"$qcontent+"\s*)/;
++my $obs_phrase = qr/(?>$simple_word+)/;
+ 
+-my $phrase = qr/$obs_phrase|(?:$word+)/;
++my $phrase = qr/$obs_phrase|(?>$word+)/;
+ 
+ my $local_part = qr/$dot_atom|$quoted_string/;
+ my $dtext  = qr/[^\[\]\\]/;
+ my $dcontent   = qr/$dtext|$quoted_pair/;
+-my $domain_literal = qr/$cfws*\[(?:\s*$dcontent)*\s*\]$cfws*/;
++my $domain_literal = qr/(?>$cfws*\[(?:\s*$dcontent)*\s*\]$cfws*)/;
+ my $domain = qr/$dot_atom|$domain_literal/;
+ 
+ my $display_name   = $phrase;
+@@ -124,9 +135,9 @@ my $display_name   = $phrase;
+ #pod =cut
+ 
+ our $addr_spec  = qr/$local_part\@$domain/;
+-our $angle_addr = qr/$cfws*<$addr_spec>$cfws*/;
++our $angle_addr = qr/(?>$cfws*<$addr_spec>$cfws*)/;
+ our $name_addr  = qr/(?>$display_name?)$angle_addr/;
+-our $mailbox= qr/(?:$name_addr|$addr_spec)$comment*/;
++our $mailbox= qr/(?:$name_addr|$addr_spec)(?>$comment*)/;
+ 
+ sub _PHRASE   () { 0 }
+ sub _ADDRESS  () { 1 }
+@@ -208,7 +219,13 @@ sub parse {
+ return @cached;
+ }
+ 
+-my (@mailboxes) = ($line =~ /$mailbox/go);
++my %mailboxes;
++my $str = $line;
++$str =~ s!($name_addr(?>$comment*))!$mailboxes{pos($str)} = $1; ',' x 
length $1!ego
++if $str =~ /$angle_addr/;
++$str =~ s!($addr_spec(?>$comment*))!$mailboxes{pos($str)} = $1; ',' x 
length $1!ego;
++my @mailboxes = map { $mailboxes{$_} } sort { $a <=> $b } keys %mailboxes;
++
+ my @addrs;
+ foreach (@mailboxes) {
+   my $original = $_;
+diff --git a/t/order.t b/t/order.t
+new file mode 100644
+index 000..e012667
+--- /dev/null
 b/t/order.t
+@@ -0,0 +1,13 @@
++use strict;
++use warnings;
++
++use Test::More;
++use Email::Address;
++
++my @emails = ( q{"foo" }, q{b...@example.com}, q{"baz" 
}, q{b...@example.com} );
++my @addr = Email::Address->parse( join ', ', @emails );
++
++is( sca

Bug#921643: stretch-pu: package libemail-address-list-perl/0.05-1+deb9u1

[Dominic Hargreaves]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Fixes CVE-2018-18898 which is exposed by request-tracker4.
Candidate package deployed and working so far on a production system.
diff -Nru libemail-address-list-perl-0.05/debian/changelog 
libemail-address-list-perl-0.05/debian/changelog
--- libemail-address-list-perl-0.05/debian/changelog2014-02-16 
23:26:24.0 +
+++ libemail-address-list-perl-0.05/debian/changelog2019-02-07 
15:18:41.0 +
@@ -1,3 +1,9 @@
+libemail-address-list-perl (0.05-1+deb9u1) UNRELEASED; urgency=medium
+
+  * [SECURITY] Fix DoS vulnerability CVE-2018-18898
+
+ -- Dominic Hargreaves   Thu, 07 Feb 2019 15:18:41 +
+
 libemail-address-list-perl (0.05-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch 
libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch
--- libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch 
1970-01-01 01:00:00.0 +0100
+++ libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch 
2019-02-07 15:16:33.0 +
@@ -0,0 +1,96 @@
+diff --git a/lib/Email/Address/List.pm b/lib/Email/Address/List.pm
+index ac79577..130811a 100644
+--- a/lib/Email/Address/List.pm
 b/lib/Email/Address/List.pm
+@@ -201,36 +201,36 @@ $RE{'text'}   = qr/[^\x0A\x0D]/;
+ $RE{'quoted_pair'}= qr/\\$RE{'text'}/;
+ 
+ $RE{'atext'}  = qr/[^$RE{'CTL'}$RE{'special'}\s]/;
+-$RE{'ctext'}  = qr/(?>[^()\\]+)/;
++$RE{'ctext'}  = qr/[^()\\]++/;
+ $RE{'qtext'}  = qr/[^\\"]/;
+ $RE{'dtext'}  = qr/[^\[\]\\]/;
+ 
+ ($RE{'ccontent'}, $RE{'comment'}) = (q{})x2;
+ for (1 .. $COMMENT_NEST_LEVEL) {
+   $RE{'ccontent'} = qr/$RE{'ctext'}|$RE{'quoted_pair'}|$RE{'comment'}/;
+-  $RE{'comment'}  = qr/\s*\((?:\s*$RE{'ccontent'})*\s*\)\s*/;
++  $RE{'comment'}  = qr/(?>\s*+\((?:\s*+$RE{'ccontent'})*+\s*+\)\s*+)/;
+ }
+-$RE{'cfws'}   = qr/$RE{'comment'}|\s+/;
++$RE{'cfws'}   = qr/$RE{'comment'}++|\s*+/;
+ 
+ $RE{'qcontent'}   = qr/$RE{'qtext'}|$RE{'quoted_pair'}/;
+-$RE{'quoted-string'}  = qr/$RE{'cfws'}*"$RE{'qcontent'}+"$RE{'cfws'}*/;
++$RE{'quoted-string'}  = qr/$RE{'cfws'}"$RE{'qcontent'}*+"$RE{'cfws'}/;
+ 
+-$RE{'atom'}   = qr/$RE{'cfws'}*$RE{'atext'}++$RE{'cfws'}*/;
++$RE{'atom'}   = qr/$RE{'cfws'}$RE{'atext'}++$RE{'cfws'}/;
+ 
+-$RE{'word'}   = qr/$RE{'cfws'}* (?: $RE{'atom'} | "$RE{'qcontent'}+" 
) $RE{'cfws'}*/x;
++$RE{'word'}   = qr/$RE{'atom'} | $RE{'quoted-string'}/x;
+ $RE{'phrase'} = qr/$RE{'word'}+/x;
+ $RE{'display-name'}   = $RE{'phrase'};
+ 
+-$RE{'dot_atom_text'}  = qr/$RE{'atext'}+(?:\.$RE{'atext'}+)*/;
+-$RE{'dot_atom'}   = qr/$RE{'cfws'}*$RE{'dot_atom_text'}$RE{'cfws'}*/;
++$RE{'dot_atom_text'}  = qr/$RE{'atext'}++(?:\.$RE{'atext'}++)*/;
++$RE{'dot_atom'}   = qr/$RE{'cfws'}$RE{'dot_atom_text'}$RE{'cfws'}/;
+ $RE{'local-part'} = qr/$RE{'dot_atom'}|$RE{'quoted-string'}/;
+ 
+ $RE{'dcontent'}   = qr/$RE{'dtext'}|$RE{'quoted_pair'}/;
+-$RE{'domain_literal'} = 
qr/$RE{'cfws'}*\[(?:\s*$RE{'dcontent'})*\s*\]$RE{'cfws'}*/;
++$RE{'domain_literal'} = 
qr/$RE{'cfws'}\[(?:\s*$RE{'dcontent'})*\s*\]$RE{'cfws'}/;
+ $RE{'domain'} = qr/$RE{'dot_atom'}|$RE{'domain_literal'}/;
+ 
+ $RE{'addr-spec'}  = qr/$RE{'local-part'}\@$RE{'domain'}/;
+-$RE{'angle-addr'} = qr/$RE{'cfws'}* < $RE{'addr-spec'} > $RE{'cfws'}*/x;
++$RE{'angle-addr'} = qr/$RE{'cfws'} < $RE{'addr-spec'} > $RE{'cfws'}/x;
+ 
+ $RE{'name-addr'}  = qr/$RE{'display-name'}?$RE{'angle-addr'}/;
+ $RE{'mailbox'}= 
qr/(?:$RE{'name-addr'}|$RE{'addr-spec'})$RE{'comment'}*/;
+@@ -238,13 +238,13 @@ $RE{'mailbox'}= 
qr/(?:$RE{'name-addr'}|$RE{'addr-spec'})$RE{'comment'}*/
+ $CRE{'addr-spec'}  = qr/($RE{'local-part'})\@($RE{'domain'})/;
+ $CRE{'mailbox'} = qr/
+ (?:
+-($RE{'display-name'})?($RE{'cfws'}*)<$CRE{'addr-spec'}>($RE{'cfws'}*)
++($RE{'display-name'})?($RE{'cfws'})<$CRE{'addr-spec'}>($RE{'cfws'})
+ |$CRE{'addr-spec'}
+-)($RE{'comment'}*)
++)($RE{'comment'}*+)
+ /x;
+ 
+-$RE{'dword'}= qr/$RE{'cfws'}* (?: $RE{'atom'} | \. | 
"$RE{'qcontent'}+" ) $RE{'cfws'}*/x;
+-$RE{'obs-phrase'}   = qr/$RE{'word'} $RE{'dword'}*/x;
++$RE{'dword'}= qr/$RE{'cfws'} (?: $RE{'atom'} | \. | 
"$RE{'qcontent'}++" ) $RE{'cfws'}/x;
++$RE{'obs-phrase'}   = qr/$RE{'word'} $RE{'dword'}*+/x;
+ $RE{'obs-display-name'} = $RE{'obs-phrase'};
+ $RE{'obs-route'}= qr/
+ (?:$RE{'cfws'}|,)*
+@@ -259,9 +259,9 @@ $CRE{'obs-addr-spec'}   = 
qr/($RE{'obs-local-part'})\@($RE{'obs-domain'})/;
+ $CRE{'obs-mailbox'} = qr/
+ (?:
+ ($RE{'obs-display-name'})?
+-($RE{'cfws'}*)< $RE{'obs-route'}? $CRE{'obs-addr-spec'} 
>

Bug#921643: stretch-pu: package libemail-address-list-perl/0.05-1+deb9u1

[Dominic Hargreaves]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Fixes CVE-2018-18898 which is exposed by request-tracker4.
Candidate package deployed and working so far on a production system.
diff -Nru libemail-address-list-perl-0.05/debian/changelog 
libemail-address-list-perl-0.05/debian/changelog
--- libemail-address-list-perl-0.05/debian/changelog2014-02-16 
23:26:24.0 +
+++ libemail-address-list-perl-0.05/debian/changelog2019-02-07 
15:18:41.0 +
@@ -1,3 +1,9 @@
+libemail-address-list-perl (0.05-1+deb9u1) UNRELEASED; urgency=medium
+
+  * [SECURITY] Fix DoS vulnerability CVE-2018-18898
+
+ -- Dominic Hargreaves   Thu, 07 Feb 2019 15:18:41 +
+
 libemail-address-list-perl (0.05-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch 
libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch
--- libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch 
1970-01-01 01:00:00.0 +0100
+++ libemail-address-list-perl-0.05/debian/patches/CVE-2018-18898.patch 
2019-02-07 15:16:33.0 +
@@ -0,0 +1,96 @@
+diff --git a/lib/Email/Address/List.pm b/lib/Email/Address/List.pm
+index ac79577..130811a 100644
+--- a/lib/Email/Address/List.pm
 b/lib/Email/Address/List.pm
+@@ -201,36 +201,36 @@ $RE{'text'}   = qr/[^\x0A\x0D]/;
+ $RE{'quoted_pair'}= qr/\\$RE{'text'}/;
+ 
+ $RE{'atext'}  = qr/[^$RE{'CTL'}$RE{'special'}\s]/;
+-$RE{'ctext'}  = qr/(?>[^()\\]+)/;
++$RE{'ctext'}  = qr/[^()\\]++/;
+ $RE{'qtext'}  = qr/[^\\"]/;
+ $RE{'dtext'}  = qr/[^\[\]\\]/;
+ 
+ ($RE{'ccontent'}, $RE{'comment'}) = (q{})x2;
+ for (1 .. $COMMENT_NEST_LEVEL) {
+   $RE{'ccontent'} = qr/$RE{'ctext'}|$RE{'quoted_pair'}|$RE{'comment'}/;
+-  $RE{'comment'}  = qr/\s*\((?:\s*$RE{'ccontent'})*\s*\)\s*/;
++  $RE{'comment'}  = qr/(?>\s*+\((?:\s*+$RE{'ccontent'})*+\s*+\)\s*+)/;
+ }
+-$RE{'cfws'}   = qr/$RE{'comment'}|\s+/;
++$RE{'cfws'}   = qr/$RE{'comment'}++|\s*+/;
+ 
+ $RE{'qcontent'}   = qr/$RE{'qtext'}|$RE{'quoted_pair'}/;
+-$RE{'quoted-string'}  = qr/$RE{'cfws'}*"$RE{'qcontent'}+"$RE{'cfws'}*/;
++$RE{'quoted-string'}  = qr/$RE{'cfws'}"$RE{'qcontent'}*+"$RE{'cfws'}/;
+ 
+-$RE{'atom'}   = qr/$RE{'cfws'}*$RE{'atext'}++$RE{'cfws'}*/;
++$RE{'atom'}   = qr/$RE{'cfws'}$RE{'atext'}++$RE{'cfws'}/;
+ 
+-$RE{'word'}   = qr/$RE{'cfws'}* (?: $RE{'atom'} | "$RE{'qcontent'}+" 
) $RE{'cfws'}*/x;
++$RE{'word'}   = qr/$RE{'atom'} | $RE{'quoted-string'}/x;
+ $RE{'phrase'} = qr/$RE{'word'}+/x;
+ $RE{'display-name'}   = $RE{'phrase'};
+ 
+-$RE{'dot_atom_text'}  = qr/$RE{'atext'}+(?:\.$RE{'atext'}+)*/;
+-$RE{'dot_atom'}   = qr/$RE{'cfws'}*$RE{'dot_atom_text'}$RE{'cfws'}*/;
++$RE{'dot_atom_text'}  = qr/$RE{'atext'}++(?:\.$RE{'atext'}++)*/;
++$RE{'dot_atom'}   = qr/$RE{'cfws'}$RE{'dot_atom_text'}$RE{'cfws'}/;
+ $RE{'local-part'} = qr/$RE{'dot_atom'}|$RE{'quoted-string'}/;
+ 
+ $RE{'dcontent'}   = qr/$RE{'dtext'}|$RE{'quoted_pair'}/;
+-$RE{'domain_literal'} = 
qr/$RE{'cfws'}*\[(?:\s*$RE{'dcontent'})*\s*\]$RE{'cfws'}*/;
++$RE{'domain_literal'} = 
qr/$RE{'cfws'}\[(?:\s*$RE{'dcontent'})*\s*\]$RE{'cfws'}/;
+ $RE{'domain'} = qr/$RE{'dot_atom'}|$RE{'domain_literal'}/;
+ 
+ $RE{'addr-spec'}  = qr/$RE{'local-part'}\@$RE{'domain'}/;
+-$RE{'angle-addr'} = qr/$RE{'cfws'}* < $RE{'addr-spec'} > $RE{'cfws'}*/x;
++$RE{'angle-addr'} = qr/$RE{'cfws'} < $RE{'addr-spec'} > $RE{'cfws'}/x;
+ 
+ $RE{'name-addr'}  = qr/$RE{'display-name'}?$RE{'angle-addr'}/;
+ $RE{'mailbox'}= 
qr/(?:$RE{'name-addr'}|$RE{'addr-spec'})$RE{'comment'}*/;
+@@ -238,13 +238,13 @@ $RE{'mailbox'}= 
qr/(?:$RE{'name-addr'}|$RE{'addr-spec'})$RE{'comment'}*/
+ $CRE{'addr-spec'}  = qr/($RE{'local-part'})\@($RE{'domain'})/;
+ $CRE{'mailbox'} = qr/
+ (?:
+-($RE{'display-name'})?($RE{'cfws'}*)<$CRE{'addr-spec'}>($RE{'cfws'}*)
++($RE{'display-name'})?($RE{'cfws'})<$CRE{'addr-spec'}>($RE{'cfws'})
+ |$CRE{'addr-spec'}
+-)($RE{'comment'}*)
++)($RE{'comment'}*+)
+ /x;
+ 
+-$RE{'dword'}= qr/$RE{'cfws'}* (?: $RE{'atom'} | \. | 
"$RE{'qcontent'}+" ) $RE{'cfws'}*/x;
+-$RE{'obs-phrase'}   = qr/$RE{'word'} $RE{'dword'}*/x;
++$RE{'dword'}= qr/$RE{'cfws'} (?: $RE{'atom'} | \. | 
"$RE{'qcontent'}++" ) $RE{'cfws'}/x;
++$RE{'obs-phrase'}   = qr/$RE{'word'} $RE{'dword'}*+/x;
+ $RE{'obs-display-name'} = $RE{'obs-phrase'};
+ $RE{'obs-route'}= qr/
+ (?:$RE{'cfws'}|,)*
+@@ -259,9 +259,9 @@ $CRE{'obs-addr-spec'}   = 
qr/($RE{'obs-local-part'})\@($RE{'obs-domain'})/;
+ $CRE{'obs-mailbox'} = qr/
+ (?:
+ ($RE{'obs-display-name'})?
+-($RE{'cfws'}*)< $RE{'obs-route'}? $CRE{'obs-addr-spec'} 
>

Bug#921642: stretch-pu: package libemail-address-perl/1.908-1+deb9u1

[Dominic Hargreaves]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Fixes CVE-2015-7686 and CVE-2018-1255 which are exposed by request-tracker4.
Candidate package deployed and working so far on a production system.
diff -Nru libemail-address-perl-1.908/debian/changelog 
libemail-address-perl-1.908/debian/changelog
--- libemail-address-perl-1.908/debian/changelog2015-09-21 
16:58:06.0 +0100
+++ libemail-address-perl-1.908/debian/changelog2019-02-07 
15:02:13.0 +
@@ -1,3 +1,10 @@
+libemail-address-perl (1.908-1+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * [SECURITY]: Fix DoS vulnerabilities CVE-2015-7686 and CVE-2018-12558
+
+ -- Dominic Hargreaves   Thu, 07 Feb 2019 15:02:13 +
+
 libemail-address-perl (1.908-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru 
libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch 
libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch
--- 
libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch   
1970-01-01 01:00:00.0 +0100
+++ 
libemail-address-perl-1.908/debian/patches/CVE-2015-7686_CVE-2018-12558.patch   
2019-02-07 15:01:45.0 +
@@ -0,0 +1,125 @@
+Subject: Fixes for DoS vulnerabilities CVE-2015-7686 and CVE-2018-12558
+
+These are cherry-picked from 1.912, excluding packaging related changes
+
+diff --git a/lib/Email/Address.pm b/lib/Email/Address.pm
+index d169f6b..5d545e1 100644
+--- a/lib/Email/Address.pm
 b/lib/Email/Address.pm
+@@ -36,18 +47,18 @@ my $ctext  = qr/(?>[^()\\]+)/;
+ my ($ccontent, $comment) = (q{})x2;
+ for (1 .. $COMMENT_NEST_LEVEL) {
+   $ccontent = qr/$ctext|$quoted_pair|$comment/;
+-  $comment  = qr/\s*\((?:\s*$ccontent)*\s*\)\s*/;
++  $comment  = qr/(?>\s*\((?:\s*$ccontent)*\s*\)\s*)/;
+ }
+-my $cfws   = qr/$comment|\s+/;
++my $cfws   = qr/$comment|(?>\s+)/;
+ 
+ my $atext  = qq/[^$CTL$special\\s]/;
+-my $atom   = qr/$cfws*$atext+$cfws*/;
+-my $dot_atom_text  = qr/$atext+(?:\.$atext+)*/;
+-my $dot_atom   = qr/$cfws*$dot_atom_text$cfws*/;
++my $atom   = qr/(?>$cfws*$atext+$cfws*)/;
++my $dot_atom_text  = qr/(?>$atext+(?:\.$atext+)*)/;
++my $dot_atom   = qr/(?>$cfws*$dot_atom_text$cfws*)/;
+ 
+ my $qtext  = qr/[^\\"]/;
+ my $qcontent   = qr/$qtext|$quoted_pair/;
+-my $quoted_string  = qr/$cfws*"$qcontent*"$cfws*/;
++my $quoted_string  = qr/(?>$cfws*"$qcontent*"$cfws*)/;
+ 
+ my $word   = qr/$atom|$quoted_string/;
+ 
+@@ -63,15 +74,15 @@ my $word   = qr/$atom|$quoted_string/;
+ # So we disallow the hateful CFWS in this context for now.  Of modern mail
+ # agents, only Apple Web Mail 2.0 is known to produce obs-phrase.
+ # -- rjbs, 2006-11-19
+-my $simple_word= qr/$atom|\.|\s*"$qcontent+"\s*/;
+-my $obs_phrase = qr/$simple_word+/;
++my $simple_word= qr/(?>$atom|\.|\s*"$qcontent+"\s*)/;
++my $obs_phrase = qr/(?>$simple_word+)/;
+ 
+-my $phrase = qr/$obs_phrase|(?:$word+)/;
++my $phrase = qr/$obs_phrase|(?>$word+)/;
+ 
+ my $local_part = qr/$dot_atom|$quoted_string/;
+ my $dtext  = qr/[^\[\]\\]/;
+ my $dcontent   = qr/$dtext|$quoted_pair/;
+-my $domain_literal = qr/$cfws*\[(?:\s*$dcontent)*\s*\]$cfws*/;
++my $domain_literal = qr/(?>$cfws*\[(?:\s*$dcontent)*\s*\]$cfws*)/;
+ my $domain = qr/$dot_atom|$domain_literal/;
+ 
+ my $display_name   = $phrase;
+@@ -124,9 +135,9 @@ my $display_name   = $phrase;
+ #pod =cut
+ 
+ our $addr_spec  = qr/$local_part\@$domain/;
+-our $angle_addr = qr/$cfws*<$addr_spec>$cfws*/;
++our $angle_addr = qr/(?>$cfws*<$addr_spec>$cfws*)/;
+ our $name_addr  = qr/(?>$display_name?)$angle_addr/;
+-our $mailbox= qr/(?:$name_addr|$addr_spec)$comment*/;
++our $mailbox= qr/(?:$name_addr|$addr_spec)(?>$comment*)/;
+ 
+ sub _PHRASE   () { 0 }
+ sub _ADDRESS  () { 1 }
+@@ -208,7 +219,13 @@ sub parse {
+ return @cached;
+ }
+ 
+-my (@mailboxes) = ($line =~ /$mailbox/go);
++my %mailboxes;
++my $str = $line;
++$str =~ s!($name_addr(?>$comment*))!$mailboxes{pos($str)} = $1; ',' x 
length $1!ego
++if $str =~ /$angle_addr/;
++$str =~ s!($addr_spec(?>$comment*))!$mailboxes{pos($str)} = $1; ',' x 
length $1!ego;
++my @mailboxes = map { $mailboxes{$_} } sort { $a <=> $b } keys %mailboxes;
++
+ my @addrs;
+ foreach (@mailboxes) {
+   my $original = $_;
+diff --git a/t/order.t b/t/order.t
+new file mode 100644
+index 000..e012667
+--- /dev/null
 b/t/order.t
+@@ -0,0 +1,13 @@
++use strict;
++use warnings;
++
++use Test::More;
++use Email::Address;
++
++my @emails = ( q{"foo" }, q{b...@example.com}, q{"baz" 
}, q{b...@example.com} );
++my @addr = Email::Address->parse( join ', ', @emails );
++
++is( sca

Bug#920744: Bug #920744 in request-tracker4 marked as pending

[Dominic Hargreaves]

Control: tag -1 pending

Hello,

Bug #920744 in request-tracker4 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/request-tracker-team/request-tracker4/commit/97ed2abbbdaf8d4da26616690cd554b109556ec6


Add missing dependencies on libcpanel-json-xs-perl (Closes: #920744)

I think missing this out from the previous commit was probably deliberate,
but based on flawed logic. It is safe and necessary to declare this
dependency to reflect the fact we are invoking it by name.


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/920744

Re: Potentially insecure Perl scripts

[Dominic Hargreaves]

On Fri, Jan 25, 2019 at 07:41:52PM +, Ian Jackson wrote:
> Holger Levsen writes ("Re: Potentially insecure Perl scripts"):
> > On Thu, Jan 24, 2019 at 03:18:40PM +, Ian Jackson wrote:
> > > To the Debian Perl maintainers: [...]
> > > To the Debian security team: [...]
> > 
> > I've read the whole thread and am surprised "talking to upstream" (and
> > fixing the issue there as well) hasn't really been on the table. :/ Did I
> > miss that?
> 
> This bug was reported upstream here 18 years ago
>   https://rt.perl.org/Public/Bug/Display.html?id=2783
> and they took of those years to sort-of half-document it.
> 
> I guess you mean that we should try again ?  That's probably
> worthwhile.
> 
> Maybe it would be best if this were fronted by someone who can bring
> themselves to be more diplomatic about this situation than I can find
> it in myself to be right now.

Myself or Niko can deal with taking this conversation upstream, but
please allow some time for this.

> In the meantime we do need to bear in mind that we do have
> approximately these two options:
> 
>  1. Change the behaviour of perl so that it matches the majority of
> the documentation, so that -n and -p and <> fulfil their purpose
> and can be used, and so that they satisfy the expections (or at
> least wishes) of the vast majority of Perl programmers.
> 
> Risk a probably tiny amount of fallout.
> 
> If we do this in Debian without cooperation from upstream, set an
> example which might lead other distros to fix it too; albeit
> through diverging from upstream behaviour.
> 
>  2. Internally in Debian file a massive MBF to review thousands
> and thousands of uses for safety.
> 
> Leave the world's existing scripts to be insecure and tolerate
> that people will continue to write insecure scripts.
> 
> Write clumsy circumlocutions everywhere instead of <> and -p and
> -n.  (Note that <<>> is not right because it does not honour `-'.)
> 
> Add notes to the documentation saying never to use <> or
> -p or -n (WTF).
> 
> (2) certainly cannot be done quickly.  If (1) cannot be done quickly
> it should IMO be done slowly.

Again - please do not force us to rush this. It is not a new situation
so rushing and panicing is not warranted.

Fixing this situation in collaboration with upstream is the only sane
approach, however the final details are worked out.

Dominic.

Re: Potentially insecure Perl scripts

[Dominic Hargreaves]

On Thu, Jan 24, 2019 at 08:00:12PM +, Holger Levsen wrote:
> On Thu, Jan 24, 2019 at 03:18:40PM +, Ian Jackson wrote:
> > To the Debian Perl maintainers: [...]
> > To the Debian security team: [...]
> 
> I've read the whole thread and am surprised "talking to upstream" (and
> fixing the issue there as well) hasn't really been on the table. :/ Did I
> miss that?

No, I don't think you did; thank you for putting it so succinctly.
As is obvious from the discussion, this is clearly not something which
can "just" be fixed in a security upload, since any meaningful change
will break a lot of scripts which rely on it. It's also far too big
a change of behaviour to be patching in Debian without involving upstream,
and would need to be staged in unstable first.

By comparison, the work preparing patches and then analysing
the fallout for the '.' in @INC removal (which mostly happened under
embargo), took about a year between the more serious apt related
security impact being understood by the perl5 security team and public
disclosure[1]. And that was with a lot of effort from different quarters.

Some have postulated that the breakage caused here is likely to be
at least as bad. I don't have a clear assessment of that yet but
this discussion is ongoing.

I have informally made a few upstream perl folks aware of this
thread, but I have not raised it formally as a bug until I have had a
chance to understand the various issues a bit better. But I think I
can safely say that this isn't something that's going to appear in
stable-security any time soon.

It does seem like the upstream plan from 2008 to introduce <<>> and
then get scripts updated to be safer didn't work, as many people writing
perl was not aware of this new operator. So there is definitely scope for
reconsidering upstream - but again, this won't happen overnight.

Also, I think it's worth trying to identify what the worst extent
of the issue is. Whilst I don't agree with some who say that this isn't
a security issue at all, I don't know of any real-world cases where
it would be exploitable for remote code execution. If someone would
like to contradict me, please feel free to mail off-list. Either way,
the fact remains that if untrusted/unsanitised input is being passed
into your @ARGV, then something is already wrong. It is worth
noting that it took a real (embarged) RCE exploit to get the wheels in
motion to eventually fix '.' in @INC.

Thanks,
Dominic.
on behalf of the Debian perl maintainers

[1] 

Bug#919059: ensymble: Time to retire

[Dominic Hargreaves]

Source: ensymble
Version: 0.29-1
Severity: serious
Justification: maintainer

I'm going to hazard a guess and say that there is absolutely nobody
using this in Debian. Certainly popcon indicates that way. As far as
I can see there is no active development upstream since 2010 and now
active VCS (it's on Google Code archive).

Whilst the package might still work, I have no easy way to test this.

So let's not release it any more. If anyone reading this disagrees,
let me know! 

Cheers,
Dominic.

Bug#919059: ensymble: Time to retire

[Dominic Hargreaves]

Source: ensymble
Version: 0.29-1
Severity: serious
Justification: maintainer

I'm going to hazard a guess and say that there is absolutely nobody
using this in Debian. Certainly popcon indicates that way. As far as
I can see there is no active development upstream since 2010 and now
active VCS (it's on Google Code archive).

Whilst the package might still work, I have no easy way to test this.

So let's not release it any more. If anyone reading this disagrees,
let me know! 

Cheers,
Dominic.

Accepted libapache2-mod-perl2 2.0.10-2+deb9u1 (all amd64 source) into proposed-updates->stable-new, proposed-updates

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 01 Jan 2019 14:04:06 +
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: all amd64 source
Version: 2.0.10-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Perl Group 
Changed-By: Dominic Hargreaves 
Closes: 644169
Description: 
 libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server - 
development fil
 libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server - 
documentation
 libapache2-mod-perl2 - Integration of perl with the Apache2 web server
Changes:
 libapache2-mod-perl2 (2.0.10-2+deb9u1) stretch; urgency=medium
 .
   * [SECURITY] CVE-2011-2767: don't allow  sections in
 user controlled configuration (Closes: #644169)
Checksums-Sha1: 
 00ee0f20cb54a5f7e5a472937af4be65eb56c49e 2717 
libapache2-mod-perl2_2.0.10-2+deb9u1.dsc
 61b5b0fe4449440258ad45dee6efa0e2264a9701 3846211 
libapache2-mod-perl2_2.0.10.orig.tar.gz
 80de12bb4fc36551aae9d44ff679bc5dabe8c93e 27516 
libapache2-mod-perl2_2.0.10-2+deb9u1.debian.tar.xz
 fa383a06e1698eb635f563d00b14bd4cb5b8d78f 8059 
libapache2-mod-perl2_2.0.10-2+deb9u1_source.buildinfo
 84faae68dd154b0736901b931bc509817789eb4c 3119632 
libapache2-mod-perl2-dbgsym_2.0.10-2+deb9u1_amd64.deb
 fe5a00d03942fabc8db59df07723f005fde747c1 86374 
libapache2-mod-perl2-dev_2.0.10-2+deb9u1_all.deb
 326324061ee395911951b28b9ade6b9871bb004e 1304296 
libapache2-mod-perl2-doc_2.0.10-2+deb9u1_all.deb
 860c8cb24c62366631a2fb761411ba71ee40563b 7921 
libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.buildinfo
 54f9a9734dffa01ab35bae7b96d6d7511acf6de4 885802 
libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.deb
Checksums-Sha256: 
 78440c051fad9a998d789d2a2644d320b5873ff4875ea550edff50634d33a0d1 2717 
libapache2-mod-perl2_2.0.10-2+deb9u1.dsc
 d1cf83ed4ea3a9dfceaa6d9662ff645177090749881093051020bf42f9872b64 3846211 
libapache2-mod-perl2_2.0.10.orig.tar.gz
 e7f2d51d90cbd4ff6de1c5d9331723da2147e19a1e56f8e4b9325b80664e5986 27516 
libapache2-mod-perl2_2.0.10-2+deb9u1.debian.tar.xz
 80466d60fe58466d96af266448224401646dc36911e1a4831a6ffccf85c285d8 8059 
libapache2-mod-perl2_2.0.10-2+deb9u1_source.buildinfo
 0e100ab9df2da4bd8da6bf9b00a4f7c5f5a9eb1c6cfc4a3675900309457ace2a 3119632 
libapache2-mod-perl2-dbgsym_2.0.10-2+deb9u1_amd64.deb
 9c3689064b7b1fe85110431e03c1375f055a295ccd46aac1a55e20168306f3ee 86374 
libapache2-mod-perl2-dev_2.0.10-2+deb9u1_all.deb
 28797267616b9e4c41bef0828b9c7165544d00d014ed50b6aeef4ddb40d18446 1304296 
libapache2-mod-perl2-doc_2.0.10-2+deb9u1_all.deb
 9dec16ef00f606026edf818b960faaeaf460d80ce3cd1b96c3c1e72a26bcd436 7921 
libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.buildinfo
 d8ddc25ce48cc96b29527b062a5a7fc0ff151830ad0252dacda61d75add9544c 885802 
libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.deb
Files: 
 b22774142e3ddbe063f022d951ba11fa 2717 httpd optional 
libapache2-mod-perl2_2.0.10-2+deb9u1.dsc
 cef55e715b5770a63b3becbe9d271121 3846211 httpd optional 
libapache2-mod-perl2_2.0.10.orig.tar.gz
 5c52b9b5924933b711cbe5dcde310a2c 27516 httpd optional 
libapache2-mod-perl2_2.0.10-2+deb9u1.debian.tar.xz
 cdeb2c2f135104758b0042aa55a81fd2 8059 httpd optional 
libapache2-mod-perl2_2.0.10-2+deb9u1_source.buildinfo
 7de6029f67208a0bd14aed97b5bf6b7b 3119632 debug extra 
libapache2-mod-perl2-dbgsym_2.0.10-2+deb9u1_amd64.deb
 ddeca5e0b0de2f56838a30ee4de557bf 86374 libdevel optional 
libapache2-mod-perl2-dev_2.0.10-2+deb9u1_all.deb
 20a85255335183ae80d685002969fca3 1304296 doc optional 
libapache2-mod-perl2-doc_2.0.10-2+deb9u1_all.deb
 20122c3aaa6fdb51360b25640da37dce 7921 httpd optional 
libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.buildinfo
 3bf34aa871a33e28254b31bd92c4c8d1 885802 httpd optional 
libapache2-mod-perl2_2.0.10-2+deb9u1_amd64.deb

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlwrdkUNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsuvFD/oCux2Da06IHfq1sSygUYQeU0mYIN7oD1dg5uEc
ZZ6KCjGkfpjDE9S4rQyAMeyo+GABBWO9T+qo/39qNlG3UAfJf3RNdpF0N5doTUV1
kcAdCAm85HvKCd08NqCb+icRqaNZQCV72fBlgOUua0fu/vWzG20IZTqm016Eio5/
wOvCfNXj8hZmusz4RmSZHW1/dZ4eyatCv8bpBnM7m31VRkPegL5ZMFE/MFx1dKgz
LPLyQi/s3R4ajj50vHNk1nQiZSgBynDu4bNW6fJR8S3cWX8IHaBCpFkIVU6DUAb+
DQ8az5N2YhRMeq8FayO00Wa7J40fn9Norn4yyMPNl6+uhK9mPNkktho8uL/b6wS4
MhOanLNVC8VEqHXbl7uxAvHHGVHJHCTmuLtcFPNJvuwLxQXeN6Dq2vz9kFFkyyWZ
yd8NiTqsKF6ClDRSRmUBQnr6gUmzqesMlxd4iSiYXIuDQ+eORRW3LXJQVs3PHZwB
g8UBVL5AxMrDhJVD4TCpPOk8vl3NUPuDM5Hj7TPh0FZDCtzlZ/ozky9pjLIM+iN9
rK90WyuuHIFLimq7RTDFb8hgZ8vchCnR8tz7aE9G8zQ4SN3hdfgpaFeJnST81Akv
iJuwSgu0tbUdfdQgar671pS3EFb35+fyDL4SHprJAKgUBrsP4SAnLyCFM4tSFXkE
KsQCHA==
=n/f5
-END PGP SIGNATURE-

Bug#917656: libnet-server-mail-perl: FTBFS (failing tests)

[Dominic Hargreaves]

On Tue, Jan 01, 2019 at 10:43:20PM +0100, Xavier wrote:
> Control: reassign -1 perl-modules-5.28
> Control: severity -1 normal
> 
> Hi all,
> 
> it seems that Net::SMTP->new() fails randomly when launched during
> Net::server::Mail tests: $s is sometimes undefined after this:
> 
>   my $s = Net::SMTP->new( $host, Port => $port, Hello => 'localhost' );

What does $@ contain when this happens?

I couldn't reproduce this myself using the attached, could you look
at providing a reproducible test case?

> http://matrix.cpantesters.org/?dist=Net-Server-Mail+0.26 also shows that
> this rarely happens since the release of 5.28.0 (1/22), never before.
> 
> I added a workaround for now in libnet-server-mail-perl tests (warn and
> return when $s is undefined).

(You probably want to log $@ in this case, too).

Cheers,
Dominic.
#!/usr/bin/perl

use strict;
use warnings;
use Net::SMTP;

STDOUT->autoflush(1);

while (1) {
print ".";
my $s = Net::SMTP->new( 'localhost', Port => 25, Hello => 'localhost' );
defined $s || die $@;
}

Bug#917967: lintian: drop versioned-dependency-satisfied-by-perl

[Dominic Hargreaves]

Package: lintian
Version: 2.5.118
Tags: patch
X-Debbugs-Cc: debian-p...@lists.debian.org

Now that perl provides its dual-lived module packages with versions,
this check is unneeded.

In time, a new check could be added recommending that the complex
form previously recommended be dropped, but I suggest that be treated
separately.

Cheers,
Dominic.
>From a60d4fcc63adbfe541c151d9b5079df74dd0fbc9 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves 
Date: Tue, 1 Jan 2019 18:05:46 +
Subject: [PATCH] Remove versioned-dependency-satisfied-by-perl

perl now uses versioned provides, so the advice given here is
redundant.
---
 checks/fields.desc   | 28 
 checks/fields.pm | 16 --
 t/tests/fields-depends-general/debian/control.in |  4 ++--
 t/tests/fields-depends-general/desc  |  1 -
 t/tests/fields-depends-general/tags  |  2 --
 5 files changed, 2 insertions(+), 49 deletions(-)

diff --git a/checks/fields.desc b/checks/fields.desc
index 4158e6506..9f3e862a0 100644
--- a/checks/fields.desc
+++ b/checks/fields.desc
@@ -967,34 +967,6 @@ Certainty: certain
 Info: The uploader appears more than once in the Uploaders
  field. The duplicate information should be removed.
 
-Tag: versioned-dependency-satisfied-by-perl
-Severity: normal
-Certainty: certain
-Info: This package declares an unnecessary versioned dependency
- on a package that is also provided by one of the Perl core packages
- (perl, perl-base, perl-modules) with at least the required version.
- .
- As versioned dependencies are not satisfied by provided packages,
- this unnecessarily pulls in a separately packaged newer version
- of the module.
- .
- The recommended way to express the dependency without needless
- complications on backporting packages is to use alternative dependencies.
- The perl package should be the preferred alternative and the
- versioned dependency a secondary one.
- .
- Example: perl (= 5.10.0) | libmodule-build-perl (= 0.26)
- .
- An exception to this is when the dependency is only satisfied in a
- version of perl in experimental. In this case, the dependency on perl
- should come second.
- .
- Example: libextutils-parsexs-perl (= 2.21) | perl (= 5.14)
- .
- Running cme fix dpkg -from control -filter Depends should be able
- to update these dependencies.
-Ref: policy 7.5
-
 Tag: package-superseded-by-perl
 Severity: normal
 Certainty: certain
diff --git a/checks/fields.pm b/checks/fields.pm
index 37d885b96..274b685b1 100644
--- a/checks/fields.pm
+++ b/checks/fields.pm
@@ -906,14 +906,6 @@ sub run {
   if ("$d_pkg-doc" eq $pkg
 && $field =~ /^(?:pre-)?depends$/);
 
-# only trigger this for the preferred alternative
-tag 'versioned-dependency-satisfied-by-perl',
-  "$field: $part_d_orig"
-  if $alternatives[0][-1] eq $part_d_orig
-  && &$is_dep_field($field)
-  && perl_core_has_version($d_pkg, $d_version->[0],
-$d_version->[1]);
-
 tag 'package-relation-with-perl-modules', "$field: $d_pkg"
   # matches "perl-modules" (<= 5.20) as well as
   # perl-modules-5.xx (>> 5.20)
@@ -1182,14 +1174,6 @@ sub run {
   # perl-modules-5.xx (>> 5.20)
   if $d_pkg =~ /^perl-modules/
   && $proc->pkg_src ne 'perl';
-
-# only trigger this for the preferred alternative
-tag 'versioned-dependency-satisfied-by-perl',
-  "$field: $part_d_orig"
-  if $alternatives[0][-1] eq $part_d_orig
-  && &$is_dep_field($field)
-  && perl_core_has_version($d_pkg, $d_version->[0],
-$d_version->[1]);
 }
 
 my $all_obsolete = 0;
diff --git a/t/tests/fields-depends-general/debian/control.in b/t/tests/fields-depends-general/debian/control.in
index 4b6672bf2..abedf22b5 100644
--- a/t/tests/fields-depends-general/debian/control.in
+++ b/t/tests/fields-depends-general/debian/control.in
@@ -3,14 +3,14 @@ Priority: optional
 Section: {$section}
 Maintainer: {$author}
 Standards-Version: {$standards_version}
-Build-Depends: {$build_depends}, libtest-simple-perl (>= 0.98), perl-modules
+Build-Depends: {$build_depends}, perl-modules
 Rules-Requires-Root: no
 
 Package: {$source}
 Architecture: all
 Depends: $\{shlibs:Depends\}, $\{misc:Depends\}, xorg, bash,
  conflict-dep, gawk | awk, new-package | xbase-clients (>= 0.1), {$source},
- gaim (>= 0.1), emacs21, emacs22, emacs23, makedev, libtest

Bug#917967: lintian: drop versioned-dependency-satisfied-by-perl

[Dominic Hargreaves]

Package: lintian
Version: 2.5.118
Tags: patch
X-Debbugs-Cc: debian-p...@lists.debian.org

Now that perl provides its dual-lived module packages with versions,
this check is unneeded.

In time, a new check could be added recommending that the complex
form previously recommended be dropped, but I suggest that be treated
separately.

Cheers,
Dominic.
>From a60d4fcc63adbfe541c151d9b5079df74dd0fbc9 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves 
Date: Tue, 1 Jan 2019 18:05:46 +
Subject: [PATCH] Remove versioned-dependency-satisfied-by-perl

perl now uses versioned provides, so the advice given here is
redundant.
---
 checks/fields.desc   | 28 
 checks/fields.pm | 16 --
 t/tests/fields-depends-general/debian/control.in |  4 ++--
 t/tests/fields-depends-general/desc  |  1 -
 t/tests/fields-depends-general/tags  |  2 --
 5 files changed, 2 insertions(+), 49 deletions(-)

diff --git a/checks/fields.desc b/checks/fields.desc
index 4158e6506..9f3e862a0 100644
--- a/checks/fields.desc
+++ b/checks/fields.desc
@@ -967,34 +967,6 @@ Certainty: certain
 Info: The uploader appears more than once in the Uploaders
  field. The duplicate information should be removed.
 
-Tag: versioned-dependency-satisfied-by-perl
-Severity: normal
-Certainty: certain
-Info: This package declares an unnecessary versioned dependency
- on a package that is also provided by one of the Perl core packages
- (perl, perl-base, perl-modules) with at least the required version.
- .
- As versioned dependencies are not satisfied by provided packages,
- this unnecessarily pulls in a separately packaged newer version
- of the module.
- .
- The recommended way to express the dependency without needless
- complications on backporting packages is to use alternative dependencies.
- The perl package should be the preferred alternative and the
- versioned dependency a secondary one.
- .
- Example: perl (= 5.10.0) | libmodule-build-perl (= 0.26)
- .
- An exception to this is when the dependency is only satisfied in a
- version of perl in experimental. In this case, the dependency on perl
- should come second.
- .
- Example: libextutils-parsexs-perl (= 2.21) | perl (= 5.14)
- .
- Running cme fix dpkg -from control -filter Depends should be able
- to update these dependencies.
-Ref: policy 7.5
-
 Tag: package-superseded-by-perl
 Severity: normal
 Certainty: certain
diff --git a/checks/fields.pm b/checks/fields.pm
index 37d885b96..274b685b1 100644
--- a/checks/fields.pm
+++ b/checks/fields.pm
@@ -906,14 +906,6 @@ sub run {
   if ("$d_pkg-doc" eq $pkg
 && $field =~ /^(?:pre-)?depends$/);
 
-# only trigger this for the preferred alternative
-tag 'versioned-dependency-satisfied-by-perl',
-  "$field: $part_d_orig"
-  if $alternatives[0][-1] eq $part_d_orig
-  && &$is_dep_field($field)
-  && perl_core_has_version($d_pkg, $d_version->[0],
-$d_version->[1]);
-
 tag 'package-relation-with-perl-modules', "$field: $d_pkg"
   # matches "perl-modules" (<= 5.20) as well as
   # perl-modules-5.xx (>> 5.20)
@@ -1182,14 +1174,6 @@ sub run {
   # perl-modules-5.xx (>> 5.20)
   if $d_pkg =~ /^perl-modules/
   && $proc->pkg_src ne 'perl';
-
-# only trigger this for the preferred alternative
-tag 'versioned-dependency-satisfied-by-perl',
-  "$field: $part_d_orig"
-  if $alternatives[0][-1] eq $part_d_orig
-  && &$is_dep_field($field)
-  && perl_core_has_version($d_pkg, $d_version->[0],
-$d_version->[1]);
 }
 
 my $all_obsolete = 0;
diff --git a/t/tests/fields-depends-general/debian/control.in b/t/tests/fields-depends-general/debian/control.in
index 4b6672bf2..abedf22b5 100644
--- a/t/tests/fields-depends-general/debian/control.in
+++ b/t/tests/fields-depends-general/debian/control.in
@@ -3,14 +3,14 @@ Priority: optional
 Section: {$section}
 Maintainer: {$author}
 Standards-Version: {$standards_version}
-Build-Depends: {$build_depends}, libtest-simple-perl (>= 0.98), perl-modules
+Build-Depends: {$build_depends}, perl-modules
 Rules-Requires-Root: no
 
 Package: {$source}
 Architecture: all
 Depends: $\{shlibs:Depends\}, $\{misc:Depends\}, xorg, bash,
  conflict-dep, gawk | awk, new-package | xbase-clients (>= 0.1), {$source},
- gaim (>= 0.1), emacs21, emacs22, emacs23, makedev, libtest

Bug#761219: debian-policy: document versioned Provides

[Dominic Hargreaves]

On Fri, Mar 13, 2015 at 01:38:16PM -0400, David Prévot wrote:
> On Thu, Sep 11, 2014 at 09:57:57PM +0300, Niko Tyni wrote:
> 
> > dpkg 1.17.11 and apt 1.0.7 recently implemented support for versioned
> > provides.
> […]
> > This clearly needs an update. No proposed wording yet, sorry.
> 
> Here is a simple one, stripping away the incorrect restriction. The
> consideration about versioned virtual package may evolve with the dpkg
> implementation, so I don’t believe it is worth it to document it in the
> policy, at least not right now anyway.

Now that all the known glitches with practical support for versioned
Provides have been ironed out, and perl has been uploaded with versioned
provides, I believe it's time to address this policy question again.

I've attached an updated patch based on the discussion on this bug report,
noting that the discussion about backporting is now moot given the
time that has elapsed and that even jessie is barely a backporting
target now.

Cheers,
Dominic.
>From c55183e7fbc08018b71a413c2a533d470642f4d0 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves 
Date: Tue, 1 Jan 2019 18:36:54 +
Subject: [PATCH] Remove restrictions on versioned Provides

Closes: #761219
---
 policy/ch-relationships.rst | 34 +-
 1 file changed, 13 insertions(+), 21 deletions(-)

diff --git a/policy/ch-relationships.rst b/policy/ch-relationships.rst
index 1d790e8..807face 100644
--- a/policy/ch-relationships.rst
+++ b/policy/ch-relationships.rst
@@ -17,15 +17,16 @@ package names, separated by vertical bar (pipe) symbols ``|``. In such a
 case, that part of the dependency can be satisfied by any one of the
 alternative packages.  [#]_
 
-All of the fields except for ``Provides`` may restrict their
-applicability to particular versions of each named package. This is done
-in parentheses after each individual package name; the parentheses
-should contain a relation from the list below followed by a version
-number, in the format described in :ref:`s-f-Version`.
+All of the fields may restrict their applicability to particular versions
+of each named package. This is done in parentheses after each individual
+package name; the parentheses should contain a relation from the list
+below followed by a version number, in the format described in
+:ref:`s-f-Version`.
 
 The relations allowed are ``<<``, ``<=``, ``=``, ``>=`` and ``>>`` for
 strictly earlier, earlier or equal, exactly equal, later or equal and
-strictly later, respectively.  [#]_
+strictly later, respectively. The exception is the Provides field, for
+which only ``=`` is allowed.  [#]_
 
 Whitespace may appear at any point in the version specification subject
 to the rules in :ref:`s-controlsyntax`, and must appear
@@ -446,17 +447,10 @@ they can say:
 and the ``bar-plus`` package will now also satisfy the dependency for
 the ``foo`` package.
 
-If a relationship field has a version number attached, only real
-packages will be considered to see whether the relationship is satisfied
-(or the prohibition violated, for a conflict or breakage). In other
-words, if a version number is specified, this is a request to ignore all
-``Provides`` for that package name and consider only real packages. The
-package manager will assume that a package providing that virtual
-package is not of the "right" version. A ``Provides`` field may not
-contain version numbers, and the version number of the concrete package
-which provides a particular virtual package will not be considered when
-considering a dependency on or conflict with the virtual package name.
-[#]_
+A ``Provides`` field may contain version numbers, and the version number
+of the concrete package which provides a particular virtual package will
+be considered when considering a dependency on or conflict with the
+virtual package name.  [#]_
 
 To specify which of a set of real packages should be the default to
 satisfy a particular dependency on a virtual package, list the real
@@ -670,10 +664,8 @@ dependencies.
together and then configured in their dependency order.
 
 .. [#]
-   It is possible that a future release of ``dpkg`` may add the ability
-   to specify a version number for each virtual package it provides.
-   This feature is not yet present, however, and is expected to be used
-   only infrequently.
+   This functionality was introduced in dpkg 1.17.11 and newer and
+   full support has been provided in the Debian archive since 2018.
 
 .. [#]
To see why ``Breaks`` is normally needed in addition to ``Replaces``,
-- 
2.11.0

Bug#761219: debian-policy: document versioned Provides

[Dominic Hargreaves]

On Fri, Mar 13, 2015 at 01:38:16PM -0400, David Prévot wrote:
> On Thu, Sep 11, 2014 at 09:57:57PM +0300, Niko Tyni wrote:
> 
> > dpkg 1.17.11 and apt 1.0.7 recently implemented support for versioned
> > provides.
> […]
> > This clearly needs an update. No proposed wording yet, sorry.
> 
> Here is a simple one, stripping away the incorrect restriction. The
> consideration about versioned virtual package may evolve with the dpkg
> implementation, so I don’t believe it is worth it to document it in the
> policy, at least not right now anyway.

Now that all the known glitches with practical support for versioned
Provides have been ironed out, and perl has been uploaded with versioned
provides, I believe it's time to address this policy question again.

I've attached an updated patch based on the discussion on this bug report,
noting that the discussion about backporting is now moot given the
time that has elapsed and that even jessie is barely a backporting
target now.

Cheers,
Dominic.
>From c55183e7fbc08018b71a413c2a533d470642f4d0 Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves 
Date: Tue, 1 Jan 2019 18:36:54 +
Subject: [PATCH] Remove restrictions on versioned Provides

Closes: #761219
---
 policy/ch-relationships.rst | 34 +-
 1 file changed, 13 insertions(+), 21 deletions(-)

diff --git a/policy/ch-relationships.rst b/policy/ch-relationships.rst
index 1d790e8..807face 100644
--- a/policy/ch-relationships.rst
+++ b/policy/ch-relationships.rst
@@ -17,15 +17,16 @@ package names, separated by vertical bar (pipe) symbols ``|``. In such a
 case, that part of the dependency can be satisfied by any one of the
 alternative packages.  [#]_
 
-All of the fields except for ``Provides`` may restrict their
-applicability to particular versions of each named package. This is done
-in parentheses after each individual package name; the parentheses
-should contain a relation from the list below followed by a version
-number, in the format described in :ref:`s-f-Version`.
+All of the fields may restrict their applicability to particular versions
+of each named package. This is done in parentheses after each individual
+package name; the parentheses should contain a relation from the list
+below followed by a version number, in the format described in
+:ref:`s-f-Version`.
 
 The relations allowed are ``<<``, ``<=``, ``=``, ``>=`` and ``>>`` for
 strictly earlier, earlier or equal, exactly equal, later or equal and
-strictly later, respectively.  [#]_
+strictly later, respectively. The exception is the Provides field, for
+which only ``=`` is allowed.  [#]_
 
 Whitespace may appear at any point in the version specification subject
 to the rules in :ref:`s-controlsyntax`, and must appear
@@ -446,17 +447,10 @@ they can say:
 and the ``bar-plus`` package will now also satisfy the dependency for
 the ``foo`` package.
 
-If a relationship field has a version number attached, only real
-packages will be considered to see whether the relationship is satisfied
-(or the prohibition violated, for a conflict or breakage). In other
-words, if a version number is specified, this is a request to ignore all
-``Provides`` for that package name and consider only real packages. The
-package manager will assume that a package providing that virtual
-package is not of the "right" version. A ``Provides`` field may not
-contain version numbers, and the version number of the concrete package
-which provides a particular virtual package will not be considered when
-considering a dependency on or conflict with the virtual package name.
-[#]_
+A ``Provides`` field may contain version numbers, and the version number
+of the concrete package which provides a particular virtual package will
+be considered when considering a dependency on or conflict with the
+virtual package name.  [#]_
 
 To specify which of a set of real packages should be the default to
 satisfy a particular dependency on a virtual package, list the real
@@ -670,10 +664,8 @@ dependencies.
together and then configured in their dependency order.
 
 .. [#]
-   It is possible that a future release of ``dpkg`` may add the ability
-   to specify a version number for each virtual package it provides.
-   This feature is not yet present, however, and is expected to be used
-   only infrequently.
+   This functionality was introduced in dpkg 1.17.11 and newer and
+   full support has been provided in the Debian archive since 2018.
 
 .. [#]
To see why ``Breaks`` is normally needed in addition to ``Replaces``,
-- 
2.11.0

Bug#907974: perl-doc-html: Should be updated to 5.28 at the point of the transition

[Dominic Hargreaves]

On Mon, Nov 05, 2018 at 08:54:13PM +0200, Niko Tyni wrote:
> Control: severity -1 serious
> 
> On Tue, Sep 04, 2018 at 05:40:41PM +0100, Dominic Hargreaves wrote:
> > Source: perl-doc-html
> > Version: 5.26.0-4
> > Severity: wishlist
> > User: debian-p...@lists.debian.org
> > Usertags: perl-5.28-transition
> > X-Debbugs-Cc: p...@packages.debian.org
> > 
> > We should make this bug serious at the point of the 5.28 transition
> > so that we don't end up releasing with documentation for the wrong 
> > version of perl.
> > 
> > See #907273 and #154963 for additional context.
> 
> Perl 5.28 transition is done now, so raising the severity of this bug.

I'm not sure where the original tooling for perldoc.perl.org has gone,
but it seems like it might not be the best option these days.

Possible alternative source:

https://perldoc.pl/
https://github.com/Grinnz/perldoc-browser
https://metacpan.org/pod/Mojolicious::Command::export

Bug#907974: perl-doc-html: Should be updated to 5.28 at the point of the transition

[Dominic Hargreaves]

On Mon, Nov 05, 2018 at 08:54:13PM +0200, Niko Tyni wrote:
> Control: severity -1 serious
> 
> On Tue, Sep 04, 2018 at 05:40:41PM +0100, Dominic Hargreaves wrote:
> > Source: perl-doc-html
> > Version: 5.26.0-4
> > Severity: wishlist
> > User: debian-p...@lists.debian.org
> > Usertags: perl-5.28-transition
> > X-Debbugs-Cc: p...@packages.debian.org
> > 
> > We should make this bug serious at the point of the 5.28 transition
> > so that we don't end up releasing with documentation for the wrong 
> > version of perl.
> > 
> > See #907273 and #154963 for additional context.
> 
> Perl 5.28 transition is done now, so raising the severity of this bug.

I'm not sure where the original tooling for perldoc.perl.org has gone,
but it seems like it might not be the best option these days.

Possible alternative source:

https://perldoc.pl/
https://github.com/Grinnz/perldoc-browser
https://metacpan.org/pod/Mojolicious::Command::export

Bug#907974: perl-doc-html: Should be updated to 5.28 at the point of the transition

[Dominic Hargreaves]

On Mon, Nov 05, 2018 at 08:54:13PM +0200, Niko Tyni wrote:
> Control: severity -1 serious
> 
> On Tue, Sep 04, 2018 at 05:40:41PM +0100, Dominic Hargreaves wrote:
> > Source: perl-doc-html
> > Version: 5.26.0-4
> > Severity: wishlist
> > User: debian-p...@lists.debian.org
> > Usertags: perl-5.28-transition
> > X-Debbugs-Cc: p...@packages.debian.org
> > 
> > We should make this bug serious at the point of the 5.28 transition
> > so that we don't end up releasing with documentation for the wrong 
> > version of perl.
> > 
> > See #907273 and #154963 for additional context.
> 
> Perl 5.28 transition is done now, so raising the severity of this bug.

I'm not sure where the original tooling for perldoc.perl.org has gone,
but it seems like it might not be the best option these days.

Possible alternative source:

https://perldoc.pl/
https://github.com/Grinnz/perldoc-browser
https://metacpan.org/pod/Mojolicious::Command::export

[perl.git] branch maint-votes updated. 74828ef48ce225decb962b95797f9ce412b17f1e

[Dominic Hargreaves]

In perl.git, the branch maint-votes has been updated

<https://perl5.git.perl.org/perl.git/commitdiff/74828ef48ce225decb962b95797f9ce412b17f1e?hp=2087784c8759f5f58e360458307d617bbfe531a6>

- Log -
commit 74828ef48ce225decb962b95797f9ce412b17f1e
Author: Dominic Hargreaves 
Date:   Tue Jan 1 16:16:11 2019 +

Update vote for additional patch needed

---

Summary of changes:
 votes-5.28.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/votes-5.28.xml b/votes-5.28.xml
index 5bcea2ec07..654fcd20f3 100644
--- a/votes-5.28.xml
+++ b/votes-5.28.xml
@@ -40,7 +40,7 @@ The same criteria apply to code in dual-life modules as to 
core code.)
 
 
 
-
+
 
 
 

-- 
Perl5 Master Repository

Bug#914046: ircd-hybrid: Hangs indefinitely during install

[Dominic Hargreaves]

Control: tags -1 + moreinfo

On Sun, Nov 18, 2018 at 08:49:37PM +0100, Genomian wrote:
> Dear Maintainer,
> during install (dpkg --configure) postinst hangs, it seems because of service 
> starting,
> since from what I've seen typing # service irc-hybrid stop in another console 
> fix the problem

Hi,

Sorry for the delay in responding.

I wasn't able to reproduce this issue; could you provide more information?
Does it happen after a fresh install? (run apt-get remove --purge ircd-hybrid
first) or only on an upgrade?

Is it possible that it's being very slow to generate an SSL key? I
note you're running on a raspberry pi and I don't know what the situation
with entropy generation is like there.

If you can inspect the system when it's hanging to see if any processes
are running (ps axww) that would be interesting.

Thanks,
Dominic.

Bug#913885: stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1

[Dominic Hargreaves]

On Mon, Dec 03, 2018 at 08:17:44AM +0100, Julien Cristau wrote:
> Control: tag -1 confirmed
> 
> On Fri, Nov 16, 2018 at 12:57:27PM +, Dominic Hargreaves wrote:
> > diff -Nru libapache2-mod-perl2-2.0.10/debian/changelog 
> > libapache2-mod-perl2-2.0.10/debian/changelog
> > --- libapache2-mod-perl2-2.0.10/debian/changelog2016-12-25 
> > 09:51:10.0 +
> > +++ libapache2-mod-perl2-2.0.10/debian/changelog2018-11-16 
> > 12:46:23.0 +
> > @@ -1,3 +1,10 @@
> > +libapache2-mod-perl2 (2.0.10-2+deb9u1) UNRELEASED; urgency=medium
> > +
> > +  * [SECURITY] CVE-2011-2767: don't allow  sections in
> > +user controlled configuration (Closes: #644169)
> > +
> > + -- Dominic Hargreaves   Fri, 16 Nov 2018 12:46:23 +
> > +
> >  libapache2-mod-perl2 (2.0.10-2) unstable; urgency=medium
> >  
> >* Patch the test suite for Apache 2.4.24 compatibility.
> 
> With s/UNRELEASED/stretch/, and assuming this has been tested in
> stretch, go ahead.

Hi,

Sorry for the long delay, now done - yes, it has been tested in stretch.

Best,
Dominic.

Bug#913885: stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1

[Dominic Hargreaves]

On Mon, Dec 03, 2018 at 08:17:44AM +0100, Julien Cristau wrote:
> Control: tag -1 confirmed
> 
> On Fri, Nov 16, 2018 at 12:57:27PM +, Dominic Hargreaves wrote:
> > diff -Nru libapache2-mod-perl2-2.0.10/debian/changelog 
> > libapache2-mod-perl2-2.0.10/debian/changelog
> > --- libapache2-mod-perl2-2.0.10/debian/changelog2016-12-25 
> > 09:51:10.0 +
> > +++ libapache2-mod-perl2-2.0.10/debian/changelog2018-11-16 
> > 12:46:23.0 +
> > @@ -1,3 +1,10 @@
> > +libapache2-mod-perl2 (2.0.10-2+deb9u1) UNRELEASED; urgency=medium
> > +
> > +  * [SECURITY] CVE-2011-2767: don't allow  sections in
> > +user controlled configuration (Closes: #644169)
> > +
> > + -- Dominic Hargreaves   Fri, 16 Nov 2018 12:46:23 +
> > +
> >  libapache2-mod-perl2 (2.0.10-2) unstable; urgency=medium
> >  
> >* Patch the test suite for Apache 2.4.24 compatibility.
> 
> With s/UNRELEASED/stretch/, and assuming this has been tested in
> stretch, go ahead.

Hi,

Sorry for the long delay, now done - yes, it has been tested in stretch.

Best,
Dominic.

Bug#915366: perlfaq4: the section on indented here documents should mention the ~ modifier

[Dominic Hargreaves]

Control: forwarded -1 https://rt.perl.org/Ticket/Display.html?id=133746

On Fri, Dec 28, 2018 at 01:06:54PM -0500, Celejar wrote:
> On Thu, 6 Dec 2018 23:04:50 +
> Dominic Hargreaves  wrote:
> 
> > On Sun, Dec 02, 2018 at 11:17:47PM -0500, Celejar wrote:
> > > perlfaq4 has a question "Why don't my < > > of the answer deals with ways to write indented here documents. These
> > > are largely kludges, however, and the faq should really mention the ~
> > > modifier (desribed in perlop), which was introduced precisely in order
> > > to provide a clean way to do this.
> > 
> > Hi,
> > 
> > Thanks for pointing this out. Would you be able to contribute
> > a suggested text (either as a diff, or otherwise) for this that
> > we can forward upstream?
> 
> Sorry for the delay - Gmail has been leaving some of my Debian mail in
> the spam folder lately.
> 
> I'm not sure that I feel comfortable making significant revisions to
> the whole FAQ answer - I'm not much of a Perl guru - so I'm just going
> to supply a paragraph that can be added to the end of "Why don't my
> < in recent Perl:
> 
> --
> Beginning with Perl version 5.26, a much simpler and cleaner way to
> write indented here documents has been added to the language: the tilde
> (~) modifier. See "Indented Here-docs" in perlop for details.
> -

Thanks, I've forwarded this upstream!

Best,
Dominic.

[perl.git] branch maint-votes updated. 6f5df42db77e151011216e7a9d32214f2036837e

[Dominic Hargreaves]

In perl.git, the branch maint-votes has been updated

<https://perl5.git.perl.org/perl.git/commitdiff/6f5df42db77e151011216e7a9d32214f2036837e?hp=58624385f3d09139705e6b307f570c40add52544>

- Log -
commit 6f5df42db77e151011216e7a9d32214f2036837e
Author: Dominic Hargreaves 
Date:   Sun Dec 16 12:13:38 2018 +

Propose pipe-open file descriptors fix

---

Summary of changes:
 votes-5.28.xml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/votes-5.28.xml b/votes-5.28.xml
index 7b3f3ccaf0..f5d1fd9d4c 100644
--- a/votes-5.28.xml
+++ b/votes-5.28.xml
@@ -41,6 +41,8 @@ The same criteria apply to code in dual-life modules as to 
core code.)
 
 
 
+
+
 
 
 New Feature Fixes

-- 
Perl5 Master Repository

Bug#916313: perl: open "|command" does not set up child process's stdin correctly on perl 5.28 (5.24 is OK)

[Dominic Hargreaves]

Control: tags -1 + confirmed
Control: forwarded -1 https://rt.perl.org/Ticket/Display.html?id=133726

On Wed, Dec 12, 2018 at 04:54:22PM -0500, Zygo Blaxell wrote:
> Dear Maintainer,
> 
> The following one-line perl script fails:
> 
>   perl -e 'close(STDIN); open(CHILD, "|wc -l")'
> 
> On Debian stable (5.24.1-3+deb9u5) it produces:
> 
>   $ perl -e 'close(STDIN); open(CHILD, "|wc -l")'
>   0
> 
> but on Debian testing/unstable (5.28.1-1, 5.28.1-3) it produces:
> 
>   $ perl -e 'close(STDIN); open(CHILD, "|wc -l")'
>   wc: 'standard input': Bad file descriptor
>   0
>   wc: -: Bad file descriptor
> 
> Other variants of open to a command
> (e.g. open(CHILD, "-|") || exec ...) are similarly broken if STDIN is closed.
> 
> This wreaks havoc on Perl filter scripts that pass data between child
> shell commands: the commands unexpectedly get EBADF when reading from
> stdin, or they unexpectedly use one of the other files they open as
> their stdin.

Thanks for the report! After some investigation, I forwarded the report
upstream, and I believe a patch should be available shortly.

Best,
Dominic.

Bug#912682: e: Bug#912682: usefulness of this package?

[Dominic Hargreaves]

On Wed, Dec 12, 2018 at 10:43:17AM +0100, Cyrille Bollu wrote:
> On Tue, 11 Dec 2018 15:13:11 +0000 Dominic Hargreaves  wrote:
> > On Tue, Dec 11, 2018 at 10:06:45AM +0100, Cyrille Bollu wrote:
> > > From its debian/control file:
> > >
> > > >This module is already included as part of Perl's core distribution, so
> > > this
> > > > package is only beneficial when newer features or bug fixes are
> required.
> > >
> > > I don't understand how
> >
> > The perl package provides the same package via a Provides entry:
> > libextutils-parsexs-perl (= 3.39). This is newer than the version
> > in the separate package (against which this bug is filed) so this
> > package will never be selected for installation.
> >
> > This could change if a newer version is uploaded, but until then,
> > the separate package should not be released.
> >
> > Dominic.
> >
> 
> Ok but I don't see how this bug differs from #915550 and #915876 for both
> of which the intent seems to remove the corresponding packages.
> 
> Shouldn't this package also be considered for removal?

Perhaps. We usually leave it a while in case it is upgraded, as the cost
of having around for "a while" in unstable only is judged cheaper than
the extra work needed to remove it and then reintroduce it. I think this
is mostly a matter of personal opinion and we don't have a firm policy
on this, but I'm sure other list members will correct me if I'm wrong.

Dominic.

Bug#912682: e: Bug#912682: usefulness of this package?

[Dominic Hargreaves]

On Wed, Dec 12, 2018 at 10:43:17AM +0100, Cyrille Bollu wrote:
> On Tue, 11 Dec 2018 15:13:11 +0000 Dominic Hargreaves  wrote:
> > On Tue, Dec 11, 2018 at 10:06:45AM +0100, Cyrille Bollu wrote:
> > > From its debian/control file:
> > >
> > > >This module is already included as part of Perl's core distribution, so
> > > this
> > > > package is only beneficial when newer features or bug fixes are
> required.
> > >
> > > I don't understand how
> >
> > The perl package provides the same package via a Provides entry:
> > libextutils-parsexs-perl (= 3.39). This is newer than the version
> > in the separate package (against which this bug is filed) so this
> > package will never be selected for installation.
> >
> > This could change if a newer version is uploaded, but until then,
> > the separate package should not be released.
> >
> > Dominic.
> >
> 
> Ok but I don't see how this bug differs from #915550 and #915876 for both
> of which the intent seems to remove the corresponding packages.
> 
> Shouldn't this package also be considered for removal?

Perhaps. We usually leave it a while in case it is upgraded, as the cost
of having around for "a while" in unstable only is judged cheaper than
the extra work needed to remove it and then reintroduce it. I think this
is mostly a matter of personal opinion and we don't have a firm policy
on this, but I'm sure other list members will correct me if I'm wrong.

Dominic.

Bug#912682: usefulness of this package?

[Dominic Hargreaves]

On Tue, Dec 11, 2018 at 10:06:45AM +0100, Cyrille Bollu wrote:
> From its debian/control file:
> 
> >This module is already included as part of Perl's core distribution, so
> this
> > package is only beneficial when newer features or bug fixes are required.
> 
> I don't understand how

The perl package provides the same package via a Provides entry:
libextutils-parsexs-perl (= 3.39). This is newer than the version
in the separate package (against which this bug is filed) so this 
package will never be selected for installation.

This could change if a newer version is uploaded, but until then,
the separate package should not be released.

Dominic.

Bug#912682: usefulness of this package?

[Dominic Hargreaves]

On Tue, Dec 11, 2018 at 10:06:45AM +0100, Cyrille Bollu wrote:
> From its debian/control file:
> 
> >This module is already included as part of Perl's core distribution, so
> this
> > package is only beneficial when newer features or bug fixes are required.
> 
> I don't understand how

The perl package provides the same package via a Provides entry:
libextutils-parsexs-perl (= 3.39). This is newer than the version
in the separate package (against which this bug is filed) so this 
package will never be selected for installation.

This could change if a newer version is uploaded, but until then,
the separate package should not be released.

Dominic.

Bug#915868: perl: Consider updating stable to perl 5.24.4

[Dominic Hargreaves]

Source: perl
Version: 5.24.1-3+deb9u5
Severity: wishlist

In the jessie release cycle we decided to upload a maintenance
release of 5.20.x, which was quite successful (though we noted a full
archive rebuild would be needed in the future), due to one regression.

Considering a similar process for stretch, upstream is up to
5.24.4, so it would be interesting to analyse the delta between these
two releases, to see if there are any changes which would benefit our
users.

[perl.git] branch maint-votes updated. 5d36eaf2b64d691a0772439df94b51485df4fe60

[Dominic Hargreaves]

In perl.git, the branch maint-votes has been updated

<https://perl5.git.perl.org/perl.git/commitdiff/5d36eaf2b64d691a0772439df94b51485df4fe60?hp=39fda5e8d93f00ab7ec77a2f35074c0aceb28c1e>

- Log -
commit 5d36eaf2b64d691a0772439df94b51485df4fe60
Author: Dominic Hargreaves 
Date:   Fri Dec 7 12:56:12 2018 +

Voted for inplace edit regression fixes

These are applied and tested in Debian unstable (based on 5.28.1)

---

Summary of changes:
 votes-5.28.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/votes-5.28.xml b/votes-5.28.xml
index 8f624846a0..5932c2c508 100644
--- a/votes-5.28.xml
+++ b/votes-5.28.xml
@@ -37,9 +37,9 @@ The same criteria apply to code in dual-life modules as to 
core code.)
 
 
 
-
-
-
+
+
+
 
 
 

-- 
Perl5 Master Repository

Bug#915366: perlfaq4: the section on indented here documents should mention the ~ modifier

[Dominic Hargreaves]

On Sun, Dec 02, 2018 at 11:17:47PM -0500, Celejar wrote:
> perlfaq4 has a question "Why don't my < of the answer deals with ways to write indented here documents. These
> are largely kludges, however, and the faq should really mention the ~
> modifier (desribed in perlop), which was introduced precisely in order
> to provide a clean way to do this.

Hi,

Thanks for pointing this out. Would you be able to contribute
a suggested text (either as a diff, or otherwise) for this that
we can forward upstream?

Cheers,
Dominic.

Bug#915550: libautodie-perl: superseded by perl

[Dominic Hargreaves]

On Tue, Dec 04, 2018 at 07:52:19PM +0200, Niko Tyni wrote:
> Package: libautodie-perl
> Version: 2.29-2
> Severity: serious
> 
> This is a separately packaged version of a module that
> is also bundled with Perl core.
> 
> The last upstream release of autodie was over three years ago, despite
> the rather serious bug in it (#798096). I don't think there's any value
> in releasing buster with this as a separate package.

Okay, so any reason not to just request an RM now?

Cheers,
Dominic.

Bug#915550: libautodie-perl: superseded by perl

[Dominic Hargreaves]

On Tue, Dec 04, 2018 at 07:52:19PM +0200, Niko Tyni wrote:
> Package: libautodie-perl
> Version: 2.29-2
> Severity: serious
> 
> This is a separately packaged version of a module that
> is also bundled with Perl core.
> 
> The last upstream release of autodie was over three years ago, despite
> the rather serious bug in it (#798096). I don't think there's any value
> in releasing buster with this as a separate package.

Okay, so any reason not to just request an RM now?

Cheers,
Dominic.

[perl.git] branch blead updated. v5.29.5-71-g2aac7c0f5a

[Dominic Hargreaves]

In perl.git, the branch blead has been updated



- Log -
commit 2aac7c0f5aadfdcbc35fd5bdb7e2a4346759c8bd
Author: Niko Tyni 
Date:   Sun Dec 2 11:57:01 2018 +0200

Fix t/porting/manifest.t failures when run in a foreign git checkout

The change at ba6733216202523a95b0b7ee2e534b8e30b6d7df didn't work
correctly: find_git_or_skip() in t/test.pl looks at PERL_BUILD_PACKAGING
too late, so it doesn't change the logic of skipping, only the explanation
of why tests get skipped if they do. This was originally reported at
.

Committer: update commit message for upstream context

---

Summary of changes:
 t/test.pl | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/t/test.pl b/t/test.pl
index 406864d86d..25eae4009d 100644
--- a/t/test.pl
+++ b/t/test.pl
@@ -200,7 +200,9 @@ sub find_git_or_skip {
$source_dir = '.'
}
 }
-if ($source_dir) {
+if ($ENV{'PERL_BUILD_PACKAGING'}) {
+   $reason = 'PERL_BUILD_PACKAGING is set';
+} elsif ($source_dir) {
my $version_string = `git --version`;
if (defined $version_string
  && $version_string =~ /\Agit version (\d+\.\d+\.\d+)(.*)/) {
@@ -213,9 +215,6 @@ sub find_git_or_skip {
 } else {
$reason = 'not being run from a git checkout';
 }
-if ($ENV{'PERL_BUILD_PACKAGING'}) {
-   $reason = 'PERL_BUILD_PACKAGING is set';
-}
 skip_all($reason) if $_[0] && $_[0] eq 'all';
 skip($reason, @_);
 }

-- 
Perl5 Master Repository

[perl.git] branch smoke-me/dom/fix-test.pl-vendor-git created. v5.29.5-69-g6d2729f582

[Dominic Hargreaves]

In perl.git, the branch smoke-me/dom/fix-test.pl-vendor-git has been created



at  6d2729f5829a8c681a44999ef3c902be309b7151 (commit)

- Log -
commit 6d2729f5829a8c681a44999ef3c902be309b7151
Author: Niko Tyni 
Date:   Sun Dec 2 11:57:01 2018 +0200

Fix t/porting/manifest.t failures when run in a foreign git checkout

The change at ba6733216202523a95b0b7ee2e534b8e30b6d7df didn't work
correctly: find_git_or_skip() in t/test.pl looks at PERL_BUILD_PACKAGING
too late, so it doesn't change the logic of skipping, only the explanation
of why tests get skipped if they do. This was originally reported at
.

Committer: update commit message for upstream context

---

-- 
Perl5 Master Repository

Bug#915608: RM: libperl-apireference-perl -- ROM; Unmaintained upstream, unused, maintenance burden

[Dominic Hargreaves]

Package: ftp.debian.org
Severity: normal

This package needs to be updated every time there is a new upstream release
of perl. This no longer seems to happen upstream, so we are carrying a large
number of patches which we have to create every time. The work is mechanical,
but since the package appears to also have negligible use
(22/0/2 inst/vote/recent in popcon) I don't think this is warranted.

Accepted perl 5.24.1-3+deb9u5 (all amd64 source) into proposed-updates->stable-new, proposed-updates

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 29 Nov 2018 11:11:57 +
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.24 libperl-dev perl-modules-5.24 
perl
Architecture: all amd64 source
Version: 5.24.1-3+deb9u5
Distribution: stretch-security
Urgency: high
Maintainer: Niko Tyni 
Changed-By: Dominic Hargreaves 
Description: 
 libperl5.24 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl   - Larry Wall's Practical Extraction and Report Language
 perl-modules-5.24 - Core Perl modules
Changes:
 perl (5.24.1-3+deb9u5) stretch-security; urgency=high
 .
   * [SECURITY] CVE-2018-18311: Integer overflow leading to buffer
 overflow and segmentation fault
   * [SECURITY] CVE-2018-18312: Heap-buffer-overflow write in S_regatom
 (regcomp.c)
   * [SECURITY] CVE-2018-18313: Heap-buffer-overflow read in regcomp.c
   * [SECURITY] CVE-2018-18314: Heap-based buffer overflow in extended
 character classes
Checksums-Sha1: 
 4914331c193cc39aff9a5026d94d1322cc475621 2393 perl_5.24.1-3+deb9u5.dsc
 05b4f97ab1f536e8a5a6033d5b2cbd822ca6ca81 185316 
perl_5.24.1-3+deb9u5.debian.tar.xz
 a61a3d1d47f2a3f12e59a1ad4959963ae204018a 5296 
perl_5.24.1-3+deb9u5_source.buildinfo
 fe228ebaf6aed62d280965de6dd8ffbf46b886be 2759356 
libperl-dev_5.24.1-3+deb9u5_amd64.deb
 c5bb8131c9772c68a08eb8dd27e3b8c3c1800eb4 3500808 
libperl5.24_5.24.1-3+deb9u5_amd64.deb
 2b2eaaffcec56079b31ce1b82c5434a85d487331 1344854 
perl-base_5.24.1-3+deb9u5_amd64.deb
 83e7a5828d0ac36c90fd0744019d05076307be22 6658074 
perl-debug_5.24.1-3+deb9u5_amd64.deb
 fea0614eb1caee42f67b98e7d030302d0fd76e28 7145996 
perl-doc_5.24.1-3+deb9u5_all.deb
 63c757ade3979febbe033f6917307bbbf293dcb8 2722478 
perl-modules-5.24_5.24.1-3+deb9u5_all.deb
 4c7822f391957c670bd1df1373aa8a1c20f9d62a 5855 
perl_5.24.1-3+deb9u5_amd64.buildinfo
 b1404893a071b5e3138fe300046ce2c6c780ac30 218554 perl_5.24.1-3+deb9u5_amd64.deb
Checksums-Sha256: 
 d30a446b21afb8f3c0da9bc117244646ef34a05c440a18bcd5c114ee87f8293f 2393 
perl_5.24.1-3+deb9u5.dsc
 fbb78d029b5a9a94e32feba2e360d3628a8a6de90066f90ff22e78d4918aab69 185316 
perl_5.24.1-3+deb9u5.debian.tar.xz
 f5927b3368cbae2f9100e1cd0ed18ddaaf8e1a9db7e8da75a1459a3f07013887 5296 
perl_5.24.1-3+deb9u5_source.buildinfo
 90c352b5ddf7e0e69567d532bba24326d71c921cde9d8aa5bc082f32f9c6d6e0 2759356 
libperl-dev_5.24.1-3+deb9u5_amd64.deb
 ba980bf1bd644809f91d3bb9b07a8a3868d277c389d379fd394d7f61dfe7a602 3500808 
libperl5.24_5.24.1-3+deb9u5_amd64.deb
 839353c685ecd026437709f105eac2558e3ab04ae8b000347b16f367d7412b94 1344854 
perl-base_5.24.1-3+deb9u5_amd64.deb
 cc909495017e4d7f6528f6a735047e26bdedf1cc9bcdb4eeced07383727308b0 6658074 
perl-debug_5.24.1-3+deb9u5_amd64.deb
 ec8d28f518abfcec08d220540ff3da4ccac009832961f16728edf9d2f163f7ad 7145996 
perl-doc_5.24.1-3+deb9u5_all.deb
 4e6997224779a11ec08bc395357818e50621eec349892ec8ff6efd8830b9e850 2722478 
perl-modules-5.24_5.24.1-3+deb9u5_all.deb
 459e65bc07d0a94249946911d7a37a5e948ebf36a8f84347594d881c91a9001d 5855 
perl_5.24.1-3+deb9u5_amd64.buildinfo
 7acfe28654dc7fa679a96bad3a7a00f3f85ddbea78046234e4c84f3ec08aeec4 218554 
perl_5.24.1-3+deb9u5_amd64.deb
Files: 
 fb29ea91e4c9eede671e5249e2c6c611 2393 perl standard perl_5.24.1-3+deb9u5.dsc
 c90d05e4385e296053748946a18e29cc 185316 perl standard 
perl_5.24.1-3+deb9u5.debian.tar.xz
 5f5cdd550f5a715cfb48b1781f45ce3b 5296 perl standard 
perl_5.24.1-3+deb9u5_source.buildinfo
 3a901d5b241c487ba2fd8c8780604d39 2759356 libdevel optional 
libperl-dev_5.24.1-3+deb9u5_amd64.deb
 c1cd1c99e2fc7bafdc62a38aa35d2f06 3500808 libs optional 
libperl5.24_5.24.1-3+deb9u5_amd64.deb
 4a48038905d125fac167a5b59376d336 1344854 perl required 
perl-base_5.24.1-3+deb9u5_amd64.deb
 e14e52c5f0be7dfe252339870f70e342 6658074 devel extra 
perl-debug_5.24.1-3+deb9u5_amd64.deb
 08953bf578a686165ee89d7b60c32f98 7145996 doc optional 
perl-doc_5.24.1-3+deb9u5_all.deb
 58656cf0fc5974f6802a47e74d024779 2722478 perl standard 
perl-modules-5.24_5.24.1-3+deb9u5_all.deb
 e47c8b382f9dc49cf061b2e6d5d80a58 5855 perl standard 
perl_5.24.1-3+deb9u5_amd64.buildinfo
 d66ffdc5f0ce26ab4744fb245a37df20 218554 perl standard 
perl_5.24.1-3+deb9u5_amd64.deb

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlv/2NkNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsuISEACIVljPsXBYBumCkXuAppVjwbXbiKdQsCz6HhI2
yhx/QyxcZf+NTObFN0/mcO9c1pKMIVz6NX1aeMbgKh+rVTe6KYqXDoGMZ93Oa4+x
uNs4qS2i51a9wwq7ioQou0akLOV6QGl28Wl+Zqp1J7PrZV/StPvOuREEJhRgfe5Z
LzMSHuSkjAE/fDAlEjLjClTcsy+bDijVdRCgVrWvrnjMc8bY4QEp4go1F/r1pcYi
XRflZ7DgOk+1zHm9LJkZ4/pAR2C+CcckK1G9n43IUzHvsLIQtSq9MvAAyH5/9CPj
xUX5GVliCwDXqOD/djIEzxKV2H7+QGbwXVxs5Xcei5UFBgxonbERE/Q00mCCIVHT
mVuvJ0H+WcT4NvWOl6vOkz8Nz1JWgcJhJtm6Bea8XVfI5VpYwXd94VlZPZgT474t
ofmhJXvL6ZS48Bf9CuDXg+DOCEMxfZo7CKn0DIDS8qJPxre/ANXeejZZ+QscqkFT
6LgIgN+lgq/536EfgNtIsHCfQrv75r+uBSAmCB3gO8hsB5hN3pWFExxLFVW3yXw

Accepted perl 5.20.2-3+deb8u12 (all amd64 source) into oldstable

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 30 Nov 2018 13:00:03 +
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.20 libperl-dev perl-modules perl
Architecture: all amd64 source
Version: 5.20.2-3+deb8u12
Distribution: jessie-security
Urgency: high
Maintainer: Niko Tyni 
Changed-By: Dominic Hargreaves 
Description: 
 libperl5.20 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl   - Larry Wall's Practical Extraction and Report Language
 perl-modules - Core Perl modules
Changes:
 perl (5.20.2-3+deb8u12) jessie-security; urgency=high
 .
   * [SECURITY] CVE-2018-18311: Integer overflow leading to buffer
 overflow and segmentation fault
Checksums-Sha1: 
 77cd417285ec387628cf5764e0dee0d9258f3945 2377 perl_5.20.2-3+deb8u12.dsc
 17289f40ec9aa0dd86ec4f5c619ad8252a652236 158872 
perl_5.20.2-3+deb8u12.debian.tar.xz
 5d7a051fcfda11558f804e684a8de69b8db84b0f 5295 
perl_5.20.2-3+deb8u12_source.buildinfo
 0f2d6c570ab637bac54c5e54d4f3b4f47196a9c8 7348160 
perl-doc_5.20.2-3+deb8u12_all.deb
 df52ecd4bb1e302346f812941d2a36de01ab0f57 2552608 
perl-modules_5.20.2-3+deb8u12_all.deb
 aad48401adb7757d0d3b685d798ae5cc3b2992da 1231460 
perl-base_5.20.2-3+deb8u12_amd64.deb
 693b4f90e8ec2c3c76d80cf6a27c9396ed7367f7 4625998 
perl-debug_5.20.2-3+deb8u12_amd64.deb
 14aacf4cbc9966508f0a04b2f5ddc566b9f44ec8 1352 
libperl5.20_5.20.2-3+deb8u12_amd64.deb
 de2019d061f28294e2b82717c489990b374d643f 2146650 
libperl-dev_5.20.2-3+deb8u12_amd64.deb
 0160b85994669a60c54fd07414a59a7189219d57 2657548 
perl_5.20.2-3+deb8u12_amd64.deb
Checksums-Sha256: 
 b3e2ae82349e60575b28e62712e61aa1e862351e50eb7013004c75a951196cdb 2377 
perl_5.20.2-3+deb8u12.dsc
 b93b828b4ebd8171ca7ef5f8f195d529c368e83cd86f276d4a25470a6b7aaa6d 158872 
perl_5.20.2-3+deb8u12.debian.tar.xz
 20973323a7f77118f61ac49898b942eeeb675fa58dbe52ed2a64c22e52ae2f48 5295 
perl_5.20.2-3+deb8u12_source.buildinfo
 b5cd738d9391fe1c79383c15cac5d030d7e002d4eb481dfd49e7e19aa257549b 7348160 
perl-doc_5.20.2-3+deb8u12_all.deb
 509ab29bd80eefe8e4a732e1c4f52fa15782b2b7a7b4001f2b71d944ea5007ae 2552608 
perl-modules_5.20.2-3+deb8u12_all.deb
 2abf3c877878bcef6573c58b6b06161d623bab42637cf9d50ba5e7e12796f60c 1231460 
perl-base_5.20.2-3+deb8u12_amd64.deb
 e27cd01a4a8e0b3be4ab82a92d57db8a83fdf77c88ac357e58839091741a33e7 4625998 
perl-debug_5.20.2-3+deb8u12_amd64.deb
 4267386b9575e8663418d6652065aa9dae4408712cb75ca821c5a59b8be261c0 1352 
libperl5.20_5.20.2-3+deb8u12_amd64.deb
 79486a5ec281747fa73b2041893177a5f8255bbba70a0b7ec402d97c98b09c1d 2146650 
libperl-dev_5.20.2-3+deb8u12_amd64.deb
 59a9a43de7b22250ee38b69ae46cd4748e7903db4f410b57373667d0c36d33f5 2657548 
perl_5.20.2-3+deb8u12_amd64.deb
Files: 
 70318a90767b40a859eff31da4c05150 2377 perl standard perl_5.20.2-3+deb8u12.dsc
 2e063c43030e24ec686d3e673f0dfd46 158872 perl standard 
perl_5.20.2-3+deb8u12.debian.tar.xz
 8d3950068da18366f7e7307cf8f9dfbd 5295 perl standard 
perl_5.20.2-3+deb8u12_source.buildinfo
 9d26e4f2fa7ac7abcdfd84b7c3de3a7e 7348160 doc optional 
perl-doc_5.20.2-3+deb8u12_all.deb
 5bc51aa389aa291eb803843f426352f0 2552608 perl standard 
perl-modules_5.20.2-3+deb8u12_all.deb
 3b199ef43bc64b5d1411b2a31c7348a9 1231460 perl required 
perl-base_5.20.2-3+deb8u12_amd64.deb
 fac0922f4638c2373e92d5b4f4683a8f 4625998 debug extra 
perl-debug_5.20.2-3+deb8u12_amd64.deb
 a2f742a0f05d512aa4caacab94700dd7 1352 libs optional 
libperl5.20_5.20.2-3+deb8u12_amd64.deb
 b30cc946df082d5f427fe66d2f1c7014 2146650 libdevel optional 
libperl-dev_5.20.2-3+deb8u12_amd64.deb
 3b1f49392736b15779b4da3d207d3b15 2657548 perl standard 
perl_5.20.2-3+deb8u12_amd64.deb

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlwBPEMNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsmhvEACLtxmJQ7WASqUk5xfjhc7j+92wwAlq0unsBz8w
jpQ1ozv2oWf7RVHEu93o+Qfi0ZljUoAIaXgsYKucBLnJZyvhAU8KVOCG5T0Zm1fF
VbnOm2qhtnTuxeF32eFOwgZG6JCCGlYQ50OFLLoPhBbsLdIQP9LXrN0t+cXZWysG
6IzbGK1SEZn0wMyWp9ech+Q41ErWSVDHIUCx2rKQ+2UrW0V3zXDAhiaw7NpLsPrr
vlpTl3xW149Yj3GErz7/cawN9q7mf9HRApktPfiqpv2bVbEc6nWJOvzICXITSGOr
lqrjirHihM+fE3rgTEY+DOiiQCPmXA/AFBb779zueWhG/yP3YHzkyxaGPAzK0WuA
5v+ahP4NGYUotMUos0nxDYY2MqcYDICb5dKDGLZSacm+/Yc2BLslsVeSdTLYes+2
rQpra4mheQ/pj0nKUj9l3f8KLE7Vfror0fLK8EOMkReP/uEo91bGBy5S4/8rsYyh
vDVsf0SCScZdEzTmO+gSR3cCSUwczjcndZVbotBXEhhlBy/sXwojB3sUe8KEyCEg
VIS5HFL+eC5bd5jPxnaqU8ljrB50LwV7y7uSQRa6ywZacNC54B7ybEcSVpLhhqIg
QX80nAS0C6ZJ8ZupxmgzulpcDiliJmjzF44VJZ0FZiJwiCW33aac84uvrhHw7wbh
gdRyeQ==
=sTd1
-END PGP SIGNATURE-

Bug#915096: libperl-apireference-perl: Missing support for perl 5.28.1

[Dominic Hargreaves]

Source: libperl-apireference-perl
Version: 0.22-9
Severity: grave
Justification: ftbfs

This package needs an update for perl 5.28.1, which was uploaded to
unstable yesterday.

Bug#915096: libperl-apireference-perl: Missing support for perl 5.28.1

[Dominic Hargreaves]

Source: libperl-apireference-perl
Version: 0.22-9
Severity: grave
Justification: ftbfs

This package needs an update for perl 5.28.1, which was uploaded to
unstable yesterday.

Bug#915086: libcommon-sense-perl: not installable with perl 5.28.1-1

[Dominic Hargreaves]

affects 915052 libpar-packer-perl libdevel-cover-perl libclass-xsaccessor-perl 
libcommon-sense-perl
thanks

On Fri, Nov 30, 2018 at 10:53:18AM +0100, Vincent Lefevre wrote:
> On 2018-11-30 09:45:52 +0000, Dominic Hargreaves wrote:
> > On Fri, Nov 30, 2018 at 10:01:25AM +0100, Vincent Lefevre wrote:
> > > libcommon-sense-perl 3.74-2+b6 has
> > > 
> > >   Depends: perl (>= 5.28.0~), perlapi-5.28.0, perl (<< 5.28.1~)
> > > 
> > > thus is not installable with perl 5.28.1-1.
> > 
> > A binNMU has already been requested:
> > 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915052
> 
> Thanks. I'm wondering whether an "affects" should have been added on
> the concerned packages to make this bug visible on their bug pages
> and with reportbug.

Fair point, done.

Bug#915086: libcommon-sense-perl: not installable with perl 5.28.1-1

[Dominic Hargreaves]

affects 915052 libpar-packer-perl libdevel-cover-perl libclass-xsaccessor-perl 
libcommon-sense-perl
thanks

On Fri, Nov 30, 2018 at 10:53:18AM +0100, Vincent Lefevre wrote:
> On 2018-11-30 09:45:52 +0000, Dominic Hargreaves wrote:
> > On Fri, Nov 30, 2018 at 10:01:25AM +0100, Vincent Lefevre wrote:
> > > libcommon-sense-perl 3.74-2+b6 has
> > > 
> > >   Depends: perl (>= 5.28.0~), perlapi-5.28.0, perl (<< 5.28.1~)
> > > 
> > > thus is not installable with perl 5.28.1-1.
> > 
> > A binNMU has already been requested:
> > 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915052
> 
> Thanks. I'm wondering whether an "affects" should have been added on
> the concerned packages to make this bug visible on their bug pages
> and with reportbug.

Fair point, done.

Bug#915086: libcommon-sense-perl: not installable with perl 5.28.1-1

[Dominic Hargreaves]

On Fri, Nov 30, 2018 at 10:01:25AM +0100, Vincent Lefevre wrote:
> Package: libcommon-sense-perl
> Version: 3.74-2+b6
> Severity: grave
> Justification: renders package unusable
> 
> libcommon-sense-perl 3.74-2+b6 has
> 
>   Depends: perl (>= 5.28.0~), perlapi-5.28.0, perl (<< 5.28.1~)
> 
> thus is not installable with perl 5.28.1-1.

A binNMU has already been requested:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915052

Bug#915086: libcommon-sense-perl: not installable with perl 5.28.1-1

[Dominic Hargreaves]

On Fri, Nov 30, 2018 at 10:01:25AM +0100, Vincent Lefevre wrote:
> Package: libcommon-sense-perl
> Version: 3.74-2+b6
> Severity: grave
> Justification: renders package unusable
> 
> libcommon-sense-perl 3.74-2+b6 has
> 
>   Depends: perl (>= 5.28.0~), perlapi-5.28.0, perl (<< 5.28.1~)
> 
> thus is not installable with perl 5.28.1-1.

A binNMU has already been requested:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915052

Accepted perl 5.28.1-1 (source) into unstable

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 29 Nov 2018 19:17:43 +
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.28 libperl-dev perl-modules-5.28 
perl
Architecture: source
Version: 5.28.1-1
Distribution: unstable
Urgency: high
Maintainer: Niko Tyni 
Changed-By: Dominic Hargreaves 
Description:
 libperl-dev - Perl library: development files
 libperl5.28 - shared Perl library
 perl   - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules-5.28 - Core Perl modules
Closes: 914222
Changes:
 perl (5.28.1-1) unstable; urgency=high
 .
   [ Niko Tyni ]
   * Special case libextutils-parsexs-perl in maintainer / autopkgtest
 checks (Closes: #914222)
   * Update patch metadata for patches applied upstream.
 .
   [ Dominic Hargreaves ]
   * Include note in README.source about importing new upstream releases.
   * New upstream release
 - [SECURITY] CVE-2018-18311: Integer overflow leading to buffer
   overflow and segmentation fault
 - [SECURITY] CVE-2018-18312: Heap-buffer-overflow write in S_regatom
   (regcomp.c)
Checksums-Sha1:
 61709143d016fcc4af6b4da5bcc6a37a61c6f2ac 2809 perl_5.28.1-1.dsc
 21339f5f1bcacbaed5cdfe97368eacbc5e55da35 411944 
perl_5.28.1.orig-regen-configure.tar.xz
 5fc239bebb8c484c3f5c58e663274ce668981651 12372080 perl_5.28.1.orig.tar.xz
 b8a6ce3ae0f76c3240dec62246285fe0e636924f 165324 perl_5.28.1-1.debian.tar.xz
 9b51fb1ddd878341921f1d5a5171da2b47a89c68 5332 perl_5.28.1-1_source.buildinfo
Checksums-Sha256:
 0e5c66301a3737dc73511bddbd121c9cdec9c9b7b8d132f759d082cb3a69764d 2809 
perl_5.28.1-1.dsc
 5873b81af4514d3910ab1a8267b15ff8c0e2100dbae4edfd10b65ef72cd31ef8 411944 
perl_5.28.1.orig-regen-configure.tar.xz
 fea7162d4cca940a387f0587b93f6737d884bf74d8a9d7cfd978bc12cd0b202d 12372080 
perl_5.28.1.orig.tar.xz
 7942cb36fd408ac615c4d035146d0f58e3875005fb2913d18bf1663a085ce52c 165324 
perl_5.28.1-1.debian.tar.xz
 e4e414b9f06f23c919158066fbc4579faa25d94072dd3a2d62b87aae18ea 5332 
perl_5.28.1-1_source.buildinfo
Files:
 dffc8e70dd7ea5e3df3c7c03963d6975 2809 perl standard perl_5.28.1-1.dsc
 fbf2e774fdcc55c92afe713db38e5e25 411944 perl standard 
perl_5.28.1.orig-regen-configure.tar.xz
 fbb590c305f2f88578f448581b8cf9c4 12372080 perl standard perl_5.28.1.orig.tar.xz
 fb3dc1d54dd53fe4b598171473e9c4d9 165324 perl standard 
perl_5.28.1-1.debian.tar.xz
 ce1e50a8afeafedcdf0f33d29c7f9049 5332 perl standard 
perl_5.28.1-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlwAQ9cNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsgOVD/sFCLniGahar8cUYgFzgL7shWgoepuAfNDeuTCg
WhCiYWB5vwNJ9eOW2VAeQCwZ9TEDBB29Sth9YDtvHPPyD+j1MTY8xmyF92l5fzmb
YdS48ybp4NM2bj9EdYtXgYumSVMf7y8l4JcUU2BmDjUGVAT6RhwLkR1wqf7/3FUO
AFt8oKFolo1/QMxKNLVV4W/+EhS4Vj4x9y6cHJw9jDpM7kSA7uvJFCEiuBBmEGTy
Xxr6PiQm8ddM4ab48n9CKhvhXEpP3wSeo8yMXciK/mGEYd9h61StIBchMFj7fHy8
ztWyWNnX5bDqUwLwXCbJ0CwBktj5pv+yIGGSwLWQ9dnOZXXaHTSUHM4jAqHW/vLT
G7V9wmmSLYZnss6YsLXZ0flwnq3Vi/okmvq1fLzNTeJn8kUkRFe1xojFNb7zVVVx
pIS6dGYO7siNwS1sna1E8hAp7p39ox5Lj622TDQY/hG0O1SSGEds9NQ0G1aUnMAO
/ysSFb2X93LufKrG3vtjr62coZrJaCoMoJTNgB1cmxJTIcxKj2zg/c+YN+kFc8RJ
HwvXqco5HCljfBjOcKU+/ZebuoXSw7fuDl7ld8Kd2SWsubJoySSPq+BWuZknHL1Q
auByClPdSyvskfHxK5XfELw0pSHorwbfqQ6bWFpXHLEF3sir4jTWItmydJwN54Jx
5Rksqg==
=bTqW
-END PGP SIGNATURE-

Bug#915052: nmu: libpar-packer-perl_1

[Dominic Hargreaves]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

As is usual for a patch release of perl, we need to binnmu a small
number of packages:

nmu libpar-packer-perl libdevel-cover-perl libclass-xsaccessor-perl 
libcommon-sense-perl . ANY . -m "Rebuild against perlapi-5.28.1." 
--extra-depends 'perl-base (>= 5.28.1)'

Thanks!
Dominic.

-- System Information:
Debian Release: 9.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-7-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#915052: nmu: libpar-packer-perl_1

[Dominic Hargreaves]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

As is usual for a patch release of perl, we need to binnmu a small
number of packages:

nmu libpar-packer-perl libdevel-cover-perl libclass-xsaccessor-perl 
libcommon-sense-perl . ANY . -m "Rebuild against perlapi-5.28.1." 
--extra-depends 'perl-base (>= 5.28.1)'

Thanks!
Dominic.

-- System Information:
Debian Release: 9.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-7-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

[perl.git] branch blead updated. v5.29.5-7-g5959277858

[Dominic Hargreaves]

In perl.git, the branch blead has been updated

<https://perl5.git.perl.org/perl.git/commitdiff/59592778585db09866cbb37a7ab04eefc07b4df4?hp=1d05df9a39abb957e570b04c7d8bf36fbaa41492>

- Log -
commit 59592778585db09866cbb37a7ab04eefc07b4df4
Author: Dominic Hargreaves 
Date:   Wed Nov 21 10:49:39 2018 +

lgtm.yml: fix erroneous inclusion

---

Summary of changes:
 .lgtm.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.lgtm.yml b/.lgtm.yml
index 77fe59add5..fe68cf79b8 100644
--- a/.lgtm.yml
+++ b/.lgtm.yml
@@ -12,4 +12,4 @@ path_classifiers:
 # These files are incorrectly classified as generated. Work around
 # this pending a fix on LGTM.com.
 - exclude: perl.c
-- exclude: io.c
+- exclude: op.c

-- 
Perl5 Master Repository

[perl.git] branch blead updated. v5.29.4-92-g620e0b0270

[Dominic Hargreaves]

In perl.git, the branch blead has been updated

<https://perl5.git.perl.org/perl.git/commitdiff/620e0b02706187ce59a94d1a73ff296e0d9a8748?hp=2d0e7d1fcad776bfaaeaa7049e51eaf521767967>

- Log -
commit 620e0b02706187ce59a94d1a73ff296e0d9a8748
Author: Dominic Hargreaves 
Date:   Mon Nov 19 19:17:17 2018 +

lgtm.yml: work around some incorrect classification

---

Summary of changes:
 .lgtm.yml | 4 
 1 file changed, 4 insertions(+)

diff --git a/.lgtm.yml b/.lgtm.yml
index ac78cd4dac..77fe59add5 100644
--- a/.lgtm.yml
+++ b/.lgtm.yml
@@ -9,3 +9,7 @@ extraction:
 path_classifiers:
   generated:
 - charclass_invlists.h
+# These files are incorrectly classified as generated. Work around
+# this pending a fix on LGTM.com.
+- exclude: perl.c
+- exclude: io.c

-- 
Perl5 Master Repository

Bug#914013: perl: missing-depends-on-sensible-utils

[Dominic Hargreaves]

On Sun, Nov 18, 2018 at 04:05:43PM +0200, Niko Tyni wrote:
> Package: perl
> Version: 5.28.0-3
> 
> As prompted by lintian:
> 
> E: libperl-dev: missing-depends-on-sensible-utils 
> usr/lib/x86_64-linux-gnu/libperl.a
> E: perl-modules-5.28: missing-depends-on-sensible-utils 
> usr/share/perl/5.28.0/Pod/Perldoc/ToTerm.pm
> E: libperl5.28: missing-depends-on-sensible-utils 
> usr/lib/x86_64-linux-gnu/libperl.so.5.28.0
> E: libperl5.28: missing-depends-on-sensible-utils 
> usr/lib/x86_64-linux-gnu/perl/5.28.0/CORE/patchlevel-debian.h
> E: libperl5.28: missing-depends-on-sensible-utils 
> usr/lib/x86_64-linux-gnu/perl/5.28.0/Config_heavy.pl
> E: perl-base: missing-depends-on-sensible-utils usr/bin/perl
> E: perl-base: missing-depends-on-sensible-utils usr/bin/perl5.28.0
> E: perl-base: missing-depends-on-sensible-utils 
> usr/lib/x86_64-linux-gnu/perl-base/Config_heavy.pl
> E: perl-debug: missing-depends-on-sensible-utils usr/bin/debugperl
> 
> This is a result of us building with -Dpager=/usr/bin/sensible-pager,
> which ends up in the binary files, and patching Pod::Perldoc::ToTerm
> to treat sensible-pager like 'less'. (The lintian check simply looks
> for relevant strings in the binary packages, skipping /usr/share/doc
> and /usr/share/locale.)
> 
> It looks to me like
> 
> - patchlevel-debian.h, libperl.{a,so} and the statically linked binaries
>   only have sensible-pager in a patch description, so false positives
> 
> - the Pod::Perldoc::ToTerm changes in debian/perldoc-pager.diff don't
>   imply any kind of dependency on sensible-pager, so a false positive
> 
> The only relevant hit is Config_heavy.pl. The implied dependency (perl
> default pager) should IMO be at most a recommendation, though I'd lean
> on the side of a suggestion.
> 
> So I propose we fix this by adding Suggests: sensible-utils in perl-base
> and libperl5.28, and overriding the rest.
> 
> Thoughts?

Sounds good to me!

Bug#913885: stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1

[Dominic Hargreaves]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This fixes a low-severity security issue which was recently fixed in
unstable (and also jessie-lts):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169

The release will be set correctly when the changelog is finalised.

Cheers,
Dominic.
diff -Nru libapache2-mod-perl2-2.0.10/debian/changelog 
libapache2-mod-perl2-2.0.10/debian/changelog
--- libapache2-mod-perl2-2.0.10/debian/changelog2016-12-25 
09:51:10.0 +
+++ libapache2-mod-perl2-2.0.10/debian/changelog2018-11-16 
12:46:23.0 +
@@ -1,3 +1,10 @@
+libapache2-mod-perl2 (2.0.10-2+deb9u1) UNRELEASED; urgency=medium
+
+  * [SECURITY] CVE-2011-2767: don't allow  sections in
+user controlled configuration (Closes: #644169)
+
+ -- Dominic Hargreaves   Fri, 16 Nov 2018 12:46:23 +
+
 libapache2-mod-perl2 (2.0.10-2) unstable; urgency=medium
 
   * Patch the test suite for Apache 2.4.24 compatibility.
diff -Nru libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch 
libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch
--- libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch  
1970-01-01 01:00:00.0 +0100
+++ libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch  
2018-11-16 11:44:22.0 +
@@ -0,0 +1,41 @@
+From: Markus Koschany 
+Date: Tue, 18 Sep 2018 19:03:15 +0200
+Subject: CVE-2011-2767
+
+Original patch by Jan Ingvoldstad.
+
+Bug-Debian: https://bugs.debian.org/644169
+Origin: https://bugs.debian.org/644169#19
+---
+ src/modules/perl/mod_perl.c | 12 ++--
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/modules/perl/mod_perl.c b/src/modules/perl/mod_perl.c
+index d3245bf..25c64ab 100644
+--- a/src/modules/perl/mod_perl.c
 b/src/modules/perl/mod_perl.c
+@@ -913,18 +913,18 @@ static const command_rec modperl_cmds[] = {
+ MP_CMD_DIR_ITERATE2("PerlAddVar", add_var, "PerlAddVar"),
+ MP_CMD_DIR_TAKE2("PerlSetEnv", set_env, "PerlSetEnv"),
+ MP_CMD_SRV_TAKE1("PerlPassEnv", pass_env, "PerlPassEnv"),
+-MP_CMD_DIR_RAW_ARGS_ON_READ("

Bug#913885: stretch-pu: package libapache2-mod-perl2/2.0.10-2+deb9u1

[Dominic Hargreaves]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This fixes a low-severity security issue which was recently fixed in
unstable (and also jessie-lts):

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=644169

The release will be set correctly when the changelog is finalised.

Cheers,
Dominic.
diff -Nru libapache2-mod-perl2-2.0.10/debian/changelog 
libapache2-mod-perl2-2.0.10/debian/changelog
--- libapache2-mod-perl2-2.0.10/debian/changelog2016-12-25 
09:51:10.0 +
+++ libapache2-mod-perl2-2.0.10/debian/changelog2018-11-16 
12:46:23.0 +
@@ -1,3 +1,10 @@
+libapache2-mod-perl2 (2.0.10-2+deb9u1) UNRELEASED; urgency=medium
+
+  * [SECURITY] CVE-2011-2767: don't allow  sections in
+user controlled configuration (Closes: #644169)
+
+ -- Dominic Hargreaves   Fri, 16 Nov 2018 12:46:23 +
+
 libapache2-mod-perl2 (2.0.10-2) unstable; urgency=medium
 
   * Patch the test suite for Apache 2.4.24 compatibility.
diff -Nru libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch 
libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch
--- libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch  
1970-01-01 01:00:00.0 +0100
+++ libapache2-mod-perl2-2.0.10/debian/patches/CVE-2011-2767.patch  
2018-11-16 11:44:22.0 +
@@ -0,0 +1,41 @@
+From: Markus Koschany 
+Date: Tue, 18 Sep 2018 19:03:15 +0200
+Subject: CVE-2011-2767
+
+Original patch by Jan Ingvoldstad.
+
+Bug-Debian: https://bugs.debian.org/644169
+Origin: https://bugs.debian.org/644169#19
+---
+ src/modules/perl/mod_perl.c | 12 ++--
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/modules/perl/mod_perl.c b/src/modules/perl/mod_perl.c
+index d3245bf..25c64ab 100644
+--- a/src/modules/perl/mod_perl.c
 b/src/modules/perl/mod_perl.c
+@@ -913,18 +913,18 @@ static const command_rec modperl_cmds[] = {
+ MP_CMD_DIR_ITERATE2("PerlAddVar", add_var, "PerlAddVar"),
+ MP_CMD_DIR_TAKE2("PerlSetEnv", set_env, "PerlSetEnv"),
+ MP_CMD_SRV_TAKE1("PerlPassEnv", pass_env, "PerlPassEnv"),
+-MP_CMD_DIR_RAW_ARGS_ON_READ("

Accepted libapache2-mod-perl2 2.0.10-3 (source) into unstable

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 15 Nov 2018 19:25:41 +
Source: libapache2-mod-perl2
Binary: libapache2-mod-perl2 libapache2-mod-perl2-dev libapache2-mod-perl2-doc
Architecture: source
Version: 2.0.10-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group 
Changed-By: Dominic Hargreaves 
Description:
 libapache2-mod-perl2 - Integration of perl with the Apache2 web server
 libapache2-mod-perl2-dev - Integration of perl with the Apache2 web server - 
development fil
 libapache2-mod-perl2-doc - Integration of perl with the Apache2 web server - 
documentation
Closes: 644169
Changes:
 libapache2-mod-perl2 (2.0.10-3) unstable; urgency=medium
 .
   [ Salvatore Bonaccorso ]
   * Update Vcs-* headers for switch to salsa.debian.org
 .
   [ Xavier Guimard ]
   * Patches:
 - update format of 0001-Skip-* and 370_http_syntax.patch
 - use short link for bugs.d.o in honour-env-LDFLAGS.patch
 - update offset in avoid-db-linkage.patch
 - add new spelling errors in 200_fix-pod-spelling-errors.patch
   * Apache2 license:
 - update Apache2 license link
 - add required NOTICE file in docs
   * dependencies:
 - remove useless dependency version to apache2-dev
 - remove dh-apache2 from dependencies (alias to apache2-dev)
   * Add myself to uploaders
   * Declare compliance with policy 4.1.5
   * Bump debhelper compatibility to 10
   * Add debian/upstream/metadata
   * Remove useless --parallel option in debian/rules
   * Remove useless Testsuite entry
   * Email change: Xavier Guimard -> y...@debian.org
 .
   [ Dominic Hargreaves ]
   * [SECURITY] CVE-2011-2767: don't allow  sections in
 user controlled configuration (Closes: #644169)
Checksums-Sha1:
 8dc4708fa441700689e26ef4bbb0ae0ca129e3ee 2694 libapache2-mod-perl2_2.0.10-3.dsc
 55d0e88a6a62b455d5615f1e78f1dce2a20b43cc 28576 
libapache2-mod-perl2_2.0.10-3.debian.tar.xz
 aa270701ac8565657f1d510eb500ed7272cef14e 7589 
libapache2-mod-perl2_2.0.10-3_source.buildinfo
Checksums-Sha256:
 c99e9aa6c45953e97909f05e12c0c23c15eb154d2bef17a103b06fde0077549b 2694 
libapache2-mod-perl2_2.0.10-3.dsc
 8c4058d2028ecbf9e675a9df856a251055da83ffeb9a0742d7452810db7bc254 28576 
libapache2-mod-perl2_2.0.10-3.debian.tar.xz
 dab6c0c1a0c938ad0b11cd7ffc90f2e23dad1dfd34dafdb3a56923de90723631 7589 
libapache2-mod-perl2_2.0.10-3_source.buildinfo
Files:
 dea913c8f362b7dc8667f5988af1c7e5 2694 httpd optional 
libapache2-mod-perl2_2.0.10-3.dsc
 072290aebb624474e18e41a440c73268 28576 httpd optional 
libapache2-mod-perl2_2.0.10-3.debian.tar.xz
 528c65bac897affc10d6cd6e7647cd1e 7589 httpd optional 
libapache2-mod-perl2_2.0.10-3_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlvtzxcNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsr7hEAC94d46HQxjzEyBi8TsAZwGAGtxKeBT7a+uMCK2
FQpeNxf8KRUPLmJ0WB5ixnPqfnD4+9SnEp5TX89il8Rfvvd2EfG5mMOhBCVA4z2A
C2loMyFRaKCj3wK76z73Kl3MjGsLFdX/qTUSoUzh8JBSLO7nKdNFC7yfiITgwtRo
SBD8HDoxPJZ4cChTjQhT+rGokJ/jrAqsvP9Q+bAkNcYBkCEnD1nqFipABbLHumPF
wEatrq1WrFan38dR4KC3qT9D6YONF05XqFO/bgdpXGjHevVrIgBamOTFjBMMFl2B
XmpdGj3G12JLMXCPqBEXgdxOGH6nYteCTswBJz4pAh7mu4StxBG41C34rOWIuyMJ
WVz03v7wXqEZeNMatUSuZ5YFspKYL2vkI1I8j/9s5IedbAqnjfWoZ7aMEhc4YSrw
hhQsa4R6DiEHFhUEzIEjlGChi3m0DoVh4dfH096K9EakvKqcBFTL+HbwsgXt2Pd5
B8nQ4DHqXtYNLPcgFY15uqODdnvLRJMoP1n6f+3VaGV2Hir7A5tK5YJ1r+PiVbcM
rI9pWEv9NDwjRfumlvVTKfLmv9ZuP1e4QlksDHN/zaVxDKi1B5U2BQQiUs9A6Rnw
ZwX/9gVBY+8NQnai85dtaMfcq9TYhp4Iaoq7gSJfx8yIcciUM43NbsCDsQ7h3e5u
RBAqrA==
=bUys
-END PGP SIGNATURE-

[perl.git] branch blead updated. v5.29.4-44-g859553fd45

[Dominic Hargreaves]

In perl.git, the branch blead has been updated

<https://perl5.git.perl.org/perl.git/commitdiff/859553fd45e3a39eee5643d8c03e4910d2203fc0?hp=ed0ccc61a67a1df17e4187c8ed96ae8f9aa4781a>

- Log -
commit 859553fd45e3a39eee5643d8c03e4910d2203fc0
Author: Dominic Hargreaves 
Date:   Thu Nov 15 12:13:05 2018 +

lgtm.yml: classify charclass_invlists.h as generated

This file represents a significant chunk of the line count of the project
and so excluding it results in more realistic statistics.

---

Summary of changes:
 .lgtm.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.lgtm.yml b/.lgtm.yml
index e0fd5bc57e..ac78cd4dac 100644
--- a/.lgtm.yml
+++ b/.lgtm.yml
@@ -6,3 +6,6 @@ extraction:
 index:
   build_command:
 - "make"
+path_classifiers:
+  generated:
+- charclass_invlists.h

-- 
Perl5 Master Repository

Bug#644169: libapache2-mod-perl2: PerlOptions -Sections not permitted in server config, but should be

[Dominic Hargreaves]

On Sun, Aug 26, 2018 at 04:26:09PM +0200, Salvatore Bonaccorso wrote:
> Hi
> 
> Back in 2011 after this bug was reported, for the security implication
> mentioned, CVE-2011-2767 was assigned. mod_perl checks .htaccess files
> for  sections, and users allowed to write to .htaccess files can
> run code as the user running the web server, leading to privilege
> escalation.
> 
> This can be demonstrated in situations were both mod_perl and userdir
> support would be enabled, or other setups potentially leading to full
> root privilege escalation.
> 
> Jan, want to outline your finding in more detail? I just have
> submitted the CVE itself to MITRE, as it was back then assigned from
> the Debian pool.

This was apparently already fixed in jessie (LTS) - I've now updated the
bug metadata and I'll look at applying the fix in unstable and stable.

Dominic.

Bug#912682: libextutils-parsexs-perl: version is older than Replaces+Breaks in perl-modules-5.28

[Dominic Hargreaves]

On Fri, Nov 02, 2018 at 09:57:57PM +0200, Adrian Bunk wrote:
> Package: libextutils-parsexs-perl
> Version: 3.35-1
> Severity: serious
> 
> The following packages have unmet dependencies:
>  perl-modules-5.28 : Breaks: libextutils-parsexs-perl (< 3.39)

For the avoidance of doubt: this does not require any action beyond
monitoring the situation, and eventually removing libextutils-parsexs-perl
from Debian if there are no newer versions that would be useful to package.

Bug#912682: libextutils-parsexs-perl: version is older than Replaces+Breaks in perl-modules-5.28

[Dominic Hargreaves]

On Fri, Nov 02, 2018 at 09:57:57PM +0200, Adrian Bunk wrote:
> Package: libextutils-parsexs-perl
> Version: 3.35-1
> Severity: serious
> 
> The following packages have unmet dependencies:
>  perl-modules-5.28 : Breaks: libextutils-parsexs-perl (< 3.39)

For the avoidance of doubt: this does not require any action beyond
monitoring the situation, and eventually removing libextutils-parsexs-perl
from Debian if there are no newer versions that would be useful to package.

Accepted openguides 0.82-2 (source) into unstable

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 09 Sep 2018 23:40:19 +0100
Source: openguides
Binary: openguides
Architecture: source
Version: 0.82-2
Distribution: unstable
Urgency: medium
Maintainer: Dominic Hargreaves 
Changed-By: Dominic Hargreaves 
Description:
 openguides - web application for managing a collaboratively-written city guide
Closes: 839271
Changes:
 openguides (0.82-2) unstable; urgency=medium
 .
   * Add Brazilian Portuguese debconf translation (Closes: #839271)
   * Remove support for Lucy as this is now EoL upstream and is being
 removed from Debian
   * Update Vcs-* fields
   * Update Standards-Version (no changes)
   * Update debhelper compat level
   * Remove possibly vulnerable use of recursive find in postinst
 which was only used in very old upgrade paths (thanks, Lintian)
Checksums-Sha1:
 338ae47beb3758bd91fe53bdbb3efea47b2e2b2a 2574 openguides_0.82-2.dsc
 bd8b079ca2fc806d57308ee358b3a6c8212a9cce 15572 openguides_0.82-2.debian.tar.xz
 ee81b1929f1c1d5e8f548c10b281fefb8973239d 5789 
openguides_0.82-2_source.buildinfo
Checksums-Sha256:
 7e437c512018e34f26f53e5af44dc9d70d365c9d66c9437cc03046848e1cf323 2574 
openguides_0.82-2.dsc
 d26e021956d4165473d067ecc183dc898f5e41046bec252f982136bb8d81abe4 15572 
openguides_0.82-2.debian.tar.xz
 c81cb7a2c82ce0de703a1857c03254c76bcfc9460a2ad7036c943921946a4be8 5789 
openguides_0.82-2_source.buildinfo
Files:
 0f676463f3c1d2af226283684bae3548 2574 perl optional openguides_0.82-2.dsc
 ad8b3bf45672d320b3dd3f8996dee9c0 15572 perl optional 
openguides_0.82-2.debian.tar.xz
 75c0bfbf70e95a46278c213ce4b13e21 5789 perl optional 
openguides_0.82-2_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAluVotQNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsj9HEAC9fmsXFVBb61J2KtPjb+H5z054+l7RDdsb1cDB
Q80mxRfvS5YR8ZLRf3C9LD+JEKPvWPvCqAcEGoK4UVgVhAIbsB15DdwBJL9Frkvu
lwAPdBB+zuKgMZBdY50HXN/QL+63VLMPt/Nc1zc0RmYd9NrZDE8YLQqtQjPcLjRA
l+NY6ydcCBZFyUFhjE5TauPj7joHV0jUjFdGLZ4RBAMgo/bJ4naU9tkTQpelUVBv
FJG8Hbj3R9MLk+dIvDRVI4R1wikiBcp9GzTKodrOfib2PUCBNO2r1CBtXZmaAHqv
nGd7CcP+XBQJXMofTOnQ2Ijaq2991WlBcqz663X77TiQ9fybFQf8qPkfehCEoaBG
Dd4VS4hEH4cIEO168SfNFfEDO7kkKDTWTZzfRVtUz/yFd7r2taJamME3QjuDLb3/
8QI6laF2abhC2l7swmzFv8CX+cVwEAK6vqIKBLvrZ+H6GYzLLXTSMdAVC9BYTVzF
JnPMWeZQmTY3H6I00nqhD7/fj8RGCOTKV+Ta95djv9wB7GztkiOVJrqut4BmCTlw
tppBNI5zMx3r55OSmZ9USENL0nFbQ4NrpONi4d5Vflug48yvZFKIvRlAJDLGEdCJ
AATb2c+M5Tc83vFvk2D/718TRG4580PE2xe/9ksLoiNRqgPK5ActY+1Iy2bRwUjc
iDR17Q==
=b0qd
-END PGP SIGNATURE-

Bug#907737: liblucy-perl: Project Lucy has retired

[Dominic Hargreaves]

On Sat, Sep 01, 2018 at 05:48:22PM +0100, Dominic Hargreaves wrote:
> On Sat, Sep 01, 2018 at 04:42:36PM +0200, Jonas Smedegaard wrote:
> > Quoting Xavier Guimard (2018-09-01 08:46:22)
> > > Package: liblucy-perl
> > > Version: Project Lucy has retired
> > > Severity: important
> > > 
> > > As announced in http://lucy.apache.org/, project Lucy has retired. I
> > > think we should remove it from buster
> > 
> > liblucy-perl has two reverse dependencies:
> > 
> >   * openguides
> >   * libcatmandu-store-lucy-perl
> > 
> > It is fine by me to drop libcatmandu-store-lucy-perl with liblucy-perl: 
> > Other Catmandu search backends exist but need to be packaged, but 
> > shipping no Catmandu search backend is better than shipping a backend 
> > dead upstream!
> > 
> > @Dominique: Is it ok to drop openguides, or can it be made to not depend 
> > on liblucy-perl?
> 
> I am still interested in OpenGuides (I run several instances using
> the Debian package).
> 
> I suspect not that many users use Lucy, so I'm fine with dropping that
> dependency. Please ping me in a couple of weeks if I haven't got around
> to that.

That's now done in openguides 0.82-2.

Thanks,
Dominic.

Accepted request-tracker4 4.4.3-1 (source) into unstable

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 09 Sep 2018 22:40:16 +0100
Source: request-tracker4
Binary: request-tracker4 rt4-clients rt4-standalone rt4-fcgi rt4-apache2 
rt4-db-postgresql rt4-db-mysql rt4-db-sqlite rt4-doc-html
Architecture: source
Version: 4.4.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Request Tracker Group 

Changed-By: Dominic Hargreaves 
Description:
 request-tracker4 - extensible trouble-ticket tracking system
 rt4-apache2 - Apache 2 specific files for request-tracker4
 rt4-clients - mail gateway and command-line interface to request-tracker4
 rt4-db-mysql - MySQL database backend for request-tracker4
 rt4-db-postgresql - PostgreSQL database backend for request-tracker4
 rt4-db-sqlite - SQLite database backend for request-tracker4
 rt4-doc-html - HTML documentation for request-tracker4
 rt4-fcgi   - External FastCGI support for request-tracker4
 rt4-standalone - Standalone web server support for request-tracker4
Closes: 848041 895600 905703 907420
Changes:
 request-tracker4 (4.4.3-1) unstable; urgency=medium
 .
   [ Niels Thykier ]
   * Declare the explicit requirement for (fake)root
 .
   [ Dominic Hargreaves ]
   * debian/bug/script: use dpkg --verify to avoid manual access to
 dpkg database (Closes: #905703)
   * New upstream release
 - Fix bug in system configuration display with regexps (Closes: #895600)
   * Drop dependency on dh-systemd (thanks, Lintian)
   * Mark rt4-standlone as being a metapackage to avoid Lintian warning
 (Closes: #907420)
   * Replace exim4 with default-mta in Depends (thanks, Lintian)
   * Force the use of Cpanel::JSON::XS (Closes: #848041)
Checksums-Sha1:
 f809b4daa188d6de7003f23687fe93d3df54ed39 5486 request-tracker4_4.4.3-1.dsc
 05d503c63faaf7078e55ecc0304e7d30532e0f06 1132743 
request-tracker4_4.4.3.orig-third-party-source.tar.gz
 f25411cfd742eabc8ef150e3cd7d429a53cc6705 9584927 
request-tracker4_4.4.3.orig.tar.gz
 96248c6e3a3da5b1cc08a16e9a40151896d5b666 77544 
request-tracker4_4.4.3-1.debian.tar.xz
 bef513eef95f73ea1bb1f2f89aa9c3c6f52dabd4 18713 
request-tracker4_4.4.3-1_source.buildinfo
Checksums-Sha256:
 42862c25ade19e8b6dd0975d1b7ab2ebe620d3687e447e2af49a90f3925c0722 5486 
request-tracker4_4.4.3-1.dsc
 e429e3319881fed1fe4aa53bf3384a34ee1eb5c60a71f908dbdabd662813b8fc 1132743 
request-tracker4_4.4.3.orig-third-party-source.tar.gz
 738ab43cac902420b3525459e288515d51130d85810659f6c8a7e223c77dadb1 9584927 
request-tracker4_4.4.3.orig.tar.gz
 ee34d6190243cb933e9a78d965e11452eb7d50fb2e44c5f80f5ca98ae5de6654 77544 
request-tracker4_4.4.3-1.debian.tar.xz
 8afe6c36e49f43077ee05608d691c760b166eaf4a2772cb5f34a033c8c4a0ddf 18713 
request-tracker4_4.4.3-1_source.buildinfo
Files:
 f4ceccb154b0d8d1d8f931b1f7145e30 5486 misc optional 
request-tracker4_4.4.3-1.dsc
 5df546015e52215c338bcee5c02c4206 1132743 misc optional 
request-tracker4_4.4.3.orig-third-party-source.tar.gz
 b30e71b60651c76af2a801ea48a89df0 9584927 misc optional 
request-tracker4_4.4.3.orig.tar.gz
 564cfd75b56e400aeae8608c9c21e071 77544 misc optional 
request-tracker4_4.4.3-1.debian.tar.xz
 a668024ed39e227e35bafa10363e6d9c 18713 misc optional 
request-tracker4_4.4.3-1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAluVl2UNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsvZ+D/oCXNZkJLB4Okx/xK6bUY75apvj5DdUTQK2jZfV
Edn4oFHWkCIf/bg0SQlLj+f02B7uJCVdd9qVrD2qd5Khg50LEb3NMXewjuVq8xtF
qKQN3QEAgC1IFNDo3H+kqrDdO+olyGxSzCVeFB6Pl085GpRR0vs7peyrOJDkkup9
hXST2Ya73ZmxbUUOwuYXI2ciLpKPq8FYWBvaeg/W2QwTYLTdqSVBGn0GkpdxiKtq
5f1jo8EszCB64bBNmj7e0QZNiV/RUtlaEOYqOnE1pYEuvG2PyzBMXwk/VjbWtl1b
xuwkqpbtvfLnF+nsyJVzFLndZcbzq8/xUcRVk5qDVZb/fC+2cuB7vdwS2afeEfGr
523KLhirYPXLxFtIGreTWroX0UkHAKHpx6HvwbNUk4njdaA8ZGgx7EQBIjXIvQcv
wd5cxvYJF+t+TejVqUW1cfaGRLwTEze7gpN4mz9xFi8MK5yNiWco3+W+uCnguNs9
u8vcUoHujB3z7BlfDk8ajZl7C/hb/wlOKt+FSyWFPrjZCTjgNzElcX1ivVj3ra7G
qe/y4Xntn0lNlHNvtM3v8R5tg4uMdxq5FaX90ClpSj8b7bQxNTfOa8YE6WMasEWA
kqjhK0txBOkWVi4kBArPnbr/8q71E9UMRY4V7FFHo1bqbhTsSW4m20HdzVyp7/gW
/XqzYQ==
=qO6J
-END PGP SIGNATURE-

Bug#907974: perl-doc-html: Should be updated to 5.28 at the point of the transition

[Dominic Hargreaves]

Source: perl-doc-html
Version: 5.26.0-4
Severity: wishlist
User: debian-p...@lists.debian.org
Usertags: perl-5.28-transition
X-Debbugs-Cc: p...@packages.debian.org

We should make this bug serious at the point of the 5.28 transition
so that we don't end up releasing with documentation for the wrong 
version of perl.

See #907273 and #154963 for additional context.

Bug#907273: Alternative approach

[Dominic Hargreaves]

Hi,

Thanks for your work maintaining perl-doc-html. 

For the bug record: there has been a long-standing bug in perl (#154963) which
discusses a better way of producing a perl-doc-html package. One option
is to continue to maintain perl-doc-html but with the data coming directly
from perl (which would likely mean a complete overhaul of perl-doc-html).

If someone is interested in adopting this package, that would
probably be a good route forward. But either way, we should probably not
let this slip into the next release with outdated versions, so
I'll file a separate bug against perl-doc-html linked to the perl 5.28
transition, as it appears I never did file the bug I said I would in
#154963.

Cheers,
Dominic.

Bug#907273: Alternative approach

[Dominic Hargreaves]

Hi,

Thanks for your work maintaining perl-doc-html. 

For the bug record: there has been a long-standing bug in perl (#154963) which
discusses a better way of producing a perl-doc-html package. One option
is to continue to maintain perl-doc-html but with the data coming directly
from perl (which would likely mean a complete overhaul of perl-doc-html).

If someone is interested in adopting this package, that would
probably be a good route forward. But either way, we should probably not
let this slip into the next release with outdated versions, so
I'll file a separate bug against perl-doc-html linked to the perl 5.28
transition, as it appears I never did file the bug I said I would in
#154963.

Cheers,
Dominic.

Bug#907737: liblucy-perl: Project Lucy has retired

[Dominic Hargreaves]

On Sat, Sep 01, 2018 at 04:42:36PM +0200, Jonas Smedegaard wrote:
> Quoting Xavier Guimard (2018-09-01 08:46:22)
> > Package: liblucy-perl
> > Version: Project Lucy has retired
> > Severity: important
> > 
> > As announced in http://lucy.apache.org/, project Lucy has retired. I
> > think we should remove it from buster
> 
> liblucy-perl has two reverse dependencies:
> 
>   * openguides
>   * libcatmandu-store-lucy-perl
> 
> It is fine by me to drop libcatmandu-store-lucy-perl with liblucy-perl: 
> Other Catmandu search backends exist but need to be packaged, but 
> shipping no Catmandu search backend is better than shipping a backend 
> dead upstream!
> 
> @Dominique: Is it ok to drop openguides, or can it be made to not depend 
> on liblucy-perl?

I am still interested in OpenGuides (I run several instances using
the Debian package).

I suspect not that many users use Lucy, so I'm fine with dropping that
dependency. Please ping me in a couple of weeks if I haven't got around
to that.

Ironically, Lucy is more alive than Plucene, which saw it last upstream
release in 2005, and which is probably used by most OpenGuides sites.

Cheers,
Dominic.

Bug#906901: debian-policy: Perl script shebang requirement is disturbing and inconsistent with rest of policy

[Dominic Hargreaves]

On Fri, Aug 24, 2018 at 08:44:26PM -0700, Russ Allbery wrote:
> Dominic Hargreaves  writes:
> 
> > Clearly it should not be a must at this point given the deviation:
> > though it still looks to me like a must ever since it was added to the
> > perl policy, so if it is changed it should be changed in both places.
> 
> Hi all,
> 
> I'm looking for seconds for this patch to relax the current requirement
> back to a should.  After that, I think the next step would be to introduce
> automatic fixing of the #! line to debhelper, since that seems relatively
> uncontroversial, and then we can reconsider this later after that's had a
> chance to propagate through the archive.
> 
> --- a/perl-policy.xml
> +++ b/perl-policy.xml
> @@ -533,7 +533,7 @@ $(MAKE) OPTIMIZE="-O2 -g -Wall"
>Script Magic
>  
>
> -All packaged perl programs must start with
> +All packaged perl programs should start with
>  #!/usr/bin/perl and may append such flags as
>  are required.
>
> diff --git a/policy/ch-files.rst b/policy/ch-files.rst
> index f31a3b4..bc87573 100644
> --- a/policy/ch-files.rst
> +++ b/policy/ch-files.rst
> @@ -186,7 +186,7 @@ All command scripts, including the package maintainer 
> scripts inside the
>  package and used by ``dpkg``, should have a ``#!`` line naming the shell
>  to be used to interpret them.
>  
> -In the case of Perl scripts this must be ``#!/usr/bin/perl``.
> +In the case of Perl scripts this should be ``#!/usr/bin/perl``.
>  
>  When scripts are installed into a directory in the system PATH, the
>  script name should not include an extension such as ``.sh`` or ``.pl``

Seconded.

Bug#906901: debian-policy: Perl script shebang requirement is disturbing and inconsistent with rest of policy

[Dominic Hargreaves]

On Tue, Aug 21, 2018 at 08:42:11PM -0700, Russ Allbery wrote:
> Russ Allbery  writes:
> 
> > Did Lintian have some special case that was allowing /usr/bin/env perl
> > previously and then Lintian changed based on Policy?  That would be
> > unfortunate, since we thought we were changing to match Lintian
> 
> Sigh.  Yes, indeed.
> 
>   * checks/scripts.pm:
> + [CL] Policy 10.4 states that Perl scripts must use /usr/bin/perl
>   directly and not via /usr/bin/env, etc.  (Closes: #904414)
> 
> in Lintian 2.5.94.
> 
> Well, this is a mess.  Apparently a lot of people were ignoring that part
> of Policy, and now we've created a ton of buggy packages because I made a
> bad assumption about what Lintian was already checking for.

Oh, that's really unfortunate :(

> Perl folks, the short version is that Lintian wasn't actually checking for
> scripts that used /usr/bin/env perl, so our check when we closed #683495
> was bogus.  Lintian has now changed based on Policy, and it looks like
> there were around 2,000 scripts in Debian that were using the /usr/bin/env
> perl form.
> 
> Any feelings about where we should go from here?

Clearly it should not be a must at this point given the deviation:
though it still looks to me like a must ever since it was added to the
perl policy, so if it is changed it should be changed in both places.

> I do feel like allowing either based on the whim of the packager is just
> kind of bad.  It produces inconsistent behavior to no real benefit for
> anyone.  If you install a Perl earlier in your PATH, you get totally
> unpredictable behavior, and everyone will be unhappy half the time.

My personal view is that the rule is the correct one though. Installing
a different perl for some application specific purpose is not uncommon -
some people choose to not use the system perl at all when they are
deploying a perl application - and they should be free to do that by
putting a different perl in the path. That doesn't mean that they
suddenly have to worry about parts of the packaged Debian system breaking.
I certainly couldn't name every part of Debian that I rely on that's
written in perl!

Addressing your inconsistency argument above: I can certainly see an
argument that some types of perl scripts shipped in Debian might want
to opt into being run by a different interpreter for special reasons,
but I think they should be the exception rather than the rule. Having
a few special cases in Debian seems far better than having every single
perl script in Debian be at risk of breaking when /usr/local/bin/perl
appears.

Dominic.

Bug#906901: debian-policy: Perl script shebang requirement is disturbing and inconsistent with rest of policy

[Dominic Hargreaves]

On Tue, Aug 21, 2018 at 08:42:11PM -0700, Russ Allbery wrote:
> Russ Allbery  writes:
> 
> > Did Lintian have some special case that was allowing /usr/bin/env perl
> > previously and then Lintian changed based on Policy?  That would be
> > unfortunate, since we thought we were changing to match Lintian
> 
> Sigh.  Yes, indeed.
> 
>   * checks/scripts.pm:
> + [CL] Policy 10.4 states that Perl scripts must use /usr/bin/perl
>   directly and not via /usr/bin/env, etc.  (Closes: #904414)
> 
> in Lintian 2.5.94.
> 
> Well, this is a mess.  Apparently a lot of people were ignoring that part
> of Policy, and now we've created a ton of buggy packages because I made a
> bad assumption about what Lintian was already checking for.

Oh, that's really unfortunate :(

> Perl folks, the short version is that Lintian wasn't actually checking for
> scripts that used /usr/bin/env perl, so our check when we closed #683495
> was bogus.  Lintian has now changed based on Policy, and it looks like
> there were around 2,000 scripts in Debian that were using the /usr/bin/env
> perl form.
> 
> Any feelings about where we should go from here?

Clearly it should not be a must at this point given the deviation:
though it still looks to me like a must ever since it was added to the
perl policy, so if it is changed it should be changed in both places.

> I do feel like allowing either based on the whim of the packager is just
> kind of bad.  It produces inconsistent behavior to no real benefit for
> anyone.  If you install a Perl earlier in your PATH, you get totally
> unpredictable behavior, and everyone will be unhappy half the time.

My personal view is that the rule is the correct one though. Installing
a different perl for some application specific purpose is not uncommon -
some people choose to not use the system perl at all when they are
deploying a perl application - and they should be free to do that by
putting a different perl in the path. That doesn't mean that they
suddenly have to worry about parts of the packaged Debian system breaking.
I certainly couldn't name every part of Debian that I rely on that's
written in perl!

Addressing your inconsistency argument above: I can certainly see an
argument that some types of perl scripts shipped in Debian might want
to opt into being run by a different interpreter for special reasons,
but I think they should be the exception rather than the rule. Having
a few special cases in Debian seems far better than having every single
perl script in Debian be at risk of breaking when /usr/local/bin/perl
appears.

Dominic.

Bug#848041: [request-tracker-maintainers] Bug#848041: this still exists as of 2018-08-08

[Dominic Hargreaves]

On Wed, Aug 08, 2018 at 11:49:54AM -0400, Mason Loring Bliss wrote:
> To confirm the original poster's observations, this still exists as of August
> 2018. Removing libjson-xs-perl causes libcpanel-json-xs-perl to be installed
> instead, and per https://rt.cpan.org/Public/Bug/Display.html?id=94784 and
> discussion in 
> https://forum.bestpractical.com/t/perl-upgrade-on-debian-9-causes-json-error/31524/5
> this works.
> 
> It would be nice if this weren't broken out of the box. Making this package
> substitution would do the trick.

The package substitution isn't something we can do at the package level,
because conflicting on that package would prevent coinstallation of
RT and many other packages which depend on JSON::XS.

However it was pointed out to me that we could force the version to
use via an environment variable:

https://sources.debian.org/src/libjson-perl/2.97001-1/lib/JSON.pm/#L488

This should be possible to ship in default configurations: I'll look at 
that when I have a moment.

Best,
Dominic.

Accepted perl 5.24.1-3+deb9u4 (all amd64 source) into proposed-updates->stable-new, proposed-updates

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 10 Jun 2018 18:37:28 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.24 libperl-dev perl-modules-5.24 
perl
Architecture: all amd64 source
Version: 5.24.1-3+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Niko Tyni 
Changed-By: Dominic Hargreaves 
Closes: 900834
Description: 
 libperl5.24 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl   - Larry Wall's Practical Extraction and Report Language
 perl-modules-5.24 - Core Perl modules
Changes:
 perl (5.24.1-3+deb9u4) stretch-security; urgency=high
 .
   * [SECURITY] CVE-2018-12015: fix directory traversal vulnerability
 in Archive-Tar (Closes: #900834)
Checksums-Sha1: 
 af207347626b1c7c67cfe3694c41500627f82f2c 2393 perl_5.24.1-3+deb9u4.dsc
 8b880f01eb868807f669bbc37306b435aeb0fcae 179936 
perl_5.24.1-3+deb9u4.debian.tar.xz
 efad4d938b9da447909ada8dba9cb509365b69e2 5148 
perl_5.24.1-3+deb9u4_source.buildinfo
 9d1bcc0c28b32f4e876951a9f0cd08246b5aa5b5 2755282 
libperl-dev_5.24.1-3+deb9u4_amd64.deb
 735e87412d5cdf6927b302a7245aff00c53b1a62 352 
libperl5.24_5.24.1-3+deb9u4_amd64.deb
 32d7f11f6b90ff202e9a708bda4a7189b39432c7 1344606 
perl-base_5.24.1-3+deb9u4_amd64.deb
 3eaa55757469bf8d8568391950eb552cd88e8521 6654658 
perl-debug_5.24.1-3+deb9u4_amd64.deb
 632d982fcdda3d6e65991a75a9fcab4512305c95 7145986 
perl-doc_5.24.1-3+deb9u4_all.deb
 6daa8b346fdc5377af1b34ba2a221fc756939fe4 2723830 
perl-modules-5.24_5.24.1-3+deb9u4_all.deb
 a36604cb1399c2afddc5a34f502c9e7eca0b 5787 
perl_5.24.1-3+deb9u4_amd64.buildinfo
 26714cb0a97ff01c13b3802f2ec86ce44163dac7 218478 perl_5.24.1-3+deb9u4_amd64.deb
Checksums-Sha256: 
 439fd400e8f7659679acac82bb6178c33e1c7cea161210c5051f8c78c2df004b 2393 
perl_5.24.1-3+deb9u4.dsc
 96b1e96a4ac72bb937f53079806fe0d6127da8fbf40d113d618a240aa378745c 179936 
perl_5.24.1-3+deb9u4.debian.tar.xz
 3395fefebdc09d87a3b0a5ac5b4b0039ff803d43fd686fa19ba7473688e099fe 5148 
perl_5.24.1-3+deb9u4_source.buildinfo
 0321c89a988bb0f1430a92943fa1c83e907c74e86b81021b422af34a24a7212c 2755282 
libperl-dev_5.24.1-3+deb9u4_amd64.deb
 e010ab8e7178c2271033aa199f925f1c2fd46e879d222462eaad35d1f7eaedea 352 
libperl5.24_5.24.1-3+deb9u4_amd64.deb
 914985af488a14268b911de8b06e082165f362e3d3c6a52581aa2619d557e1ea 1344606 
perl-base_5.24.1-3+deb9u4_amd64.deb
 02e3eb8c853e5caa558512ed6d48d0dcdb9d99692585ebd77fd22ddb62234f91 6654658 
perl-debug_5.24.1-3+deb9u4_amd64.deb
 a483bc64c3936ce99b3ae76430d644c3c784f879819ef49d74f0d4365b4c3020 7145986 
perl-doc_5.24.1-3+deb9u4_all.deb
 97ef07235d452887148df4791b24d50af224bebd47e90970d3b26eead718c330 2723830 
perl-modules-5.24_5.24.1-3+deb9u4_all.deb
 485ed8287ff61c4d1d855c55ca4801cda41106ef9c207411cc62a51a73b26945 5787 
perl_5.24.1-3+deb9u4_amd64.buildinfo
 9f9829e5a44de48877a8ff172cf1c25aefb2dc23ee8cd508dea7d8a877d4ff30 218478 
perl_5.24.1-3+deb9u4_amd64.deb
Files: 
 45d7c95ff04ee4a8300fdc8515789136 2393 perl standard perl_5.24.1-3+deb9u4.dsc
 ab7a46240a333c6891ec737d97a57f3b 179936 perl standard 
perl_5.24.1-3+deb9u4.debian.tar.xz
 bca10b7f8812b1277e723c10c6abb015 5148 perl standard 
perl_5.24.1-3+deb9u4_source.buildinfo
 ba4de357e2e56f6ec5035f004c3a2441 2755282 libdevel optional 
libperl-dev_5.24.1-3+deb9u4_amd64.deb
 09b2d8a4fc06cd455f9937109738be42 352 libs optional 
libperl5.24_5.24.1-3+deb9u4_amd64.deb
 50f96a0c7220ef449601b4ac1605ea89 1344606 perl required 
perl-base_5.24.1-3+deb9u4_amd64.deb
 45fa6e304b63e60afc38184266ae76b5 6654658 devel extra 
perl-debug_5.24.1-3+deb9u4_amd64.deb
 65a2e7562defc2f3aa8fa75d7d761e63 7145986 doc optional 
perl-doc_5.24.1-3+deb9u4_all.deb
 9c5837ae2d97e0ae837a6469472b9c4a 2723830 perl standard 
perl-modules-5.24_5.24.1-3+deb9u4_all.deb
 36e7f2b306ed5f05c17d5562e9b0dba2 5787 perl standard 
perl_5.24.1-3+deb9u4_amd64.buildinfo
 1937c69554f677fb5781f5922d22b6a1 218478 perl standard 
perl_5.24.1-3+deb9u4_amd64.deb

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlsdai4NHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsldSEACJEFQ4rwkJAS5js3R8XBMhfidxVUGYOkB2jGnk
EFte7lFzVeFk40qPj7hMbGOl5SRyPoBwTwTFu8qdvmwcO05WsP7eIUHeJ5PfAlSm
B1xt7yohK3FkUNT7BEw7fC/6N1exi37JaUg7/N4LcYf5Cyy7Fmn5x909JprU3a8Z
Tk/PBvnhv8pDczK7nPhUdiO60UwXFP7EHbKwnc9UPrCCzFD+0639D0xJOUhqAFoc
sNKNsUbxy/wb1i5PHwsDblIXSAcmUQN/EwWD64UeV5dx/HRlQ8KjH9uVDpg9Wlj4
hSjR6zD6V9YJ5nlr7vdjNFFMyWznHyibOy57iK4O/S1JmxiWo6UUkdERqOD29Uvx
12pUMa0oVHxr/OITc4ZcUbAyzKVdXDKEu5TSPjyvidMHRkVQTybMdfDpTgH3i1k7
LPjrvPKBZrJZmj52RnHQ7pRX8kJoueMS3YoJIrbxHelkGEi33F6njza3lTwLR2xX
Th4Lst8sX0arCK5szpUBpBVJgJA+Ho2dUNvp5Ae2XD/rAfTTZKiYtnUrOFS02xSC
N13F8xIW43qxYR0OS6u7IYWB/BO60WMP3q4BJCdrMUIqBNDVQ3+f8WVJg/auCXLy
lGXCcpuOl0LAetfobn/O9TMoqXcFvZoV1OWfOqMAl/DjghPPtDeQ+Y38iFmcpeY8
8ynVBw==
=0Ojb
-END PGP SIGNATURE-

Accepted perl 5.20.2-3+deb8u11 (all amd64 source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 10 Jun 2018 18:40:37 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.20 libperl-dev perl-modules perl
Architecture: all amd64 source
Version: 5.20.2-3+deb8u11
Distribution: jessie-security
Urgency: high
Maintainer: Niko Tyni 
Changed-By: Dominic Hargreaves 
Closes: 900834
Description: 
 libperl5.20 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl   - Larry Wall's Practical Extraction and Report Language
 perl-modules - Core Perl modules
Changes:
 perl (5.20.2-3+deb8u11) jessie-security; urgency=high
 .
   * [SECURITY] CVE-2018-12015: fix directory traversal vulnerability
 in Archive-Tar (Closes: #900834)
Checksums-Sha1: 
 260b78682d66f64ff569e4e6822e1454b4a60bd8 2377 perl_5.20.2-3+deb8u11.dsc
 4348cadb494865efac6dcd7389cccb6d5f4d33e8 157516 
perl_5.20.2-3+deb8u11.debian.tar.xz
 72c32508e322dfd1555013ce3ffba23ac418a3f2 5147 
perl_5.20.2-3+deb8u11_source.buildinfo
 0aeb49c28f19258d17f7a4f963b80fc98f5c6990 7346632 
perl-doc_5.20.2-3+deb8u11_all.deb
 fae1d268e75a3d4dbc4c2e6c50991db67f11ec88 2547456 
perl-modules_5.20.2-3+deb8u11_all.deb
 3010976f133222abbb1e08880bf72bd8620f97ec 1229672 
perl-base_5.20.2-3+deb8u11_amd64.deb
 a92d835f7a7bee9a800907b060f00c354ec7690e 4481682 
perl-debug_5.20.2-3+deb8u11_amd64.deb
 7a7b712bf3abcf5755bcb6faf462bed874bcd010 1362 
libperl5.20_5.20.2-3+deb8u11_amd64.deb
 94a97f170fc73b83cf9dfbd6ae9d0741fea2c95b 2147888 
libperl-dev_5.20.2-3+deb8u11_amd64.deb
 6db1773b7a6edcf6c0c9dbc54ba8921a4ec468cc 2642044 
perl_5.20.2-3+deb8u11_amd64.deb
Checksums-Sha256: 
 b58df3f05201f9a474157fbf3ede9d4b08beb8b3b69a882bb2c3f14eb70c1a40 2377 
perl_5.20.2-3+deb8u11.dsc
 53e0ccd3ed238614fbcd8eb577159392892bcf82c7821f94f6ef379e8ae3a7c1 157516 
perl_5.20.2-3+deb8u11.debian.tar.xz
 c03a8c7af62d41cf1da5dd33c0dc109697a20900b7110a6fb4492f5bba20b2ac 5147 
perl_5.20.2-3+deb8u11_source.buildinfo
 c7e958ce7fb35fcb17792a130db54e21d4ea29e173eae2b509f899633d23e704 7346632 
perl-doc_5.20.2-3+deb8u11_all.deb
 22cb948fe3a60ff0bfdfc24aeebbf47fb0fee34fd3c68b9d10e4af76bb331ec9 2547456 
perl-modules_5.20.2-3+deb8u11_all.deb
 dcc2bcb06313ab37fc3ed9da253d39a516bf48245e60426eee4023ee1961e7e9 1229672 
perl-base_5.20.2-3+deb8u11_amd64.deb
 67196a8a0fa2be987f874d9c8e43b81d69c244a6d7f1170bb0c2a58c031453e0 4481682 
perl-debug_5.20.2-3+deb8u11_amd64.deb
 e80d6d17a10777854f14b1fb40eea74558c1a2974cb52c13c750d0b3e90cca02 1362 
libperl5.20_5.20.2-3+deb8u11_amd64.deb
 c77acfe009897647825b46324670ebbb7f391f2a49cb7c82429dd6cb4dd64585 2147888 
libperl-dev_5.20.2-3+deb8u11_amd64.deb
 bf2d580fea43dd9680d1d8706c8d2330ebbac07905f619a5ed546045d2a71c09 2642044 
perl_5.20.2-3+deb8u11_amd64.deb
Files: 
 19957ef3cf7a45d31b5dd1df826af9d6 2377 perl standard perl_5.20.2-3+deb8u11.dsc
 7340e4dcd6e352c3ec4060f88c3671fe 157516 perl standard 
perl_5.20.2-3+deb8u11.debian.tar.xz
 d9e687773fc5037046997916c75738e8 5147 perl standard 
perl_5.20.2-3+deb8u11_source.buildinfo
 2f906f8d86d367e54f86e3d5be6b32c5 7346632 doc optional 
perl-doc_5.20.2-3+deb8u11_all.deb
 23a65d50552be175e0d747872f5e81b8 2547456 perl standard 
perl-modules_5.20.2-3+deb8u11_all.deb
 bd3165838cff015d4f5b36fdeb0552e5 1229672 perl required 
perl-base_5.20.2-3+deb8u11_amd64.deb
 e465128ea170fad325de91443849b398 4481682 debug extra 
perl-debug_5.20.2-3+deb8u11_amd64.deb
 b8db73d0f81ccad412aa6214abd2e925 1362 libs optional 
libperl5.20_5.20.2-3+deb8u11_amd64.deb
 0fc5aad2a417c405283921486c28aeea 2147888 libdevel optional 
libperl-dev_5.20.2-3+deb8u11_amd64.deb
 7b9fa8e72618a1085a0870f98b9c6eca 2642044 perl standard 
perl_5.20.2-3+deb8u11_amd64.deb

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlsdctsNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPsuCED/98MxFFupaH/s9mb7CxOMtv3/whh/I9OT9l38gW
9x95YIeAPbzVoh5HcwbYUm3fsEkQCIIv6rVVBggFMMm0bILgIfNPAA80xkqFGD98
0HWx662zKXhZbhuR/5ZEK6peiSXZGvN49e4kOU94GQ8dp/H2Os3LZfCHHrCSnCKp
R9yy5g3z+l/mw5v5f6RJVlaCjbvMIgcX/u2YqF0jGPj1kFJCnYknS/rZQZYcLIs8
r/ziIjqL4E1uqPSvEOLAs5eQ2HMircihvIywPxtm6rbnlinadcvkl3ZwGx/r6z90
0D5er3MLFr67FSg+ENdxBtT8nKUdgdJvaABC30RruIWNWvf4G77aYOM+rIdbsch9
+5Mjm7OD0A2wIaHnXbo5CrpjJcQ2eTvwkY9bj8wCmXgysmLaG6/3tbTnJF/CTBSv
+SyXt/F8GTDxKLiZ4I4irbOpASUjQ7rsdGy+x7zsritSemG7v7vrqXqHDdPSAa11
K+JCJb+tl34Hh+InzkrGNhRWWBBdxq/+wmStfbcHftS7gCGqjxAc7bWmNnEiv/zy
7zWNnJ+UHTIJ7Dp5pLcrNeTCBTDMWJAqblfYjRfh5gWln2RlA97mPh2yi9Lv9zb2
3HBmNEyGZP3hM8ADYNzVzwoE0YeiGrJI8jq6yw9+rMfrng0ImkgezVBRT32noqq+
9Xtjfw==
=hrqL
-END PGP SIGNATURE-

Accepted perl 5.26.2-6 (source) into unstable

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sat, 09 Jun 2018 13:38:44 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.26 libperl-dev perl-modules-5.26 
perl
Architecture: source
Version: 5.26.2-6
Distribution: unstable
Urgency: high
Maintainer: Niko Tyni 
Changed-By: Dominic Hargreaves 
Description:
 libperl-dev - Perl library: development files
 libperl5.26 - shared Perl library
 perl   - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules-5.26 - Core Perl modules
Closes: 900834
Changes:
 perl (5.26.2-6) unstable; urgency=high
 .
   * [SECURITY] CVE-2018-12015: fix directory traversal vulnerability
 in Archive-Tar (Closes: #900834)
Checksums-Sha1:
 04a71eff631df54db5286fcbac58fc1ad7977c1d 2776 perl_5.26.2-6.dsc
 ebfd67b4bc36c0f89ed8a35af1a7cc5da76db7d3 167332 perl_5.26.2-6.debian.tar.xz
 9f080dfd0f0864a9c1e4df57f13f8433735e1186 5184 perl_5.26.2-6_source.buildinfo
Checksums-Sha256:
 8441ca46715247218cbc19cabd15126f4fbacd544b6ce6446ea7b2ba2541f16a 2776 
perl_5.26.2-6.dsc
 6b3a39b03e80498d7e0d02c544aa24d4d9fdfc4afd85a91375aa2685d882d178 167332 
perl_5.26.2-6.debian.tar.xz
 fd71e724ea48b4828c48af7104453780dc188328bcadeb7cf9593550bb14972f 5184 
perl_5.26.2-6_source.buildinfo
Files:
 99abfe79c6f0498735dc71dcdaf79714 2776 perl standard perl_5.26.2-6.dsc
 87a276b0bb1e43151a0e6490f130b22d 167332 perl standard 
perl_5.26.2-6.debian.tar.xz
 cb2a35df5f798150482b957eb6eeedf7 5184 perl standard 
perl_5.26.2-6_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlsb3zUNHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPstsOD/9zRnfCTFseLXuoSG2rVhRTuKagm234vLJ0LXTY
Y0g2Ol7Ayw8ABgyifYWqJDFs3WL70xWKdB3eLYsCSQD6jOPbSoTK1UjsavxD7tFG
bk72lVaDF8bSam/KEBIH67Ysb5/Y1tfBz3aWVE5z2fTOTbNDcph0cgvOfJ0SnU5h
3PF1FnZBJ91jpW279AIlbv+s4JbQZXXt9eUiZKT6WZnX5dOoEYTPG1Ky/ttwZFXv
ZA6xlTe+pyTaKvlQHOnKv76i8vWm6geQNzYMTde/tUqWv2a72Oq/HTcb7PiBYT/7
0JsdN2rWgq1tpTqAQ51MSZM3RkOZlgzT+J43iO9mxat6okzgORbyqEPwABbKXopd
L90PdvWoapLQFjrx5mQgZV+nyO8WhLXOKWir0zpOAZ/CjOhh249GdJaLplGOn11u
IAp8POD4or67dZxRro1x7YdkTV8GX6vkhWtEcKr7CnTRCDeNhe9jD8QUSClqN+a/
G1dAo7gaOrEBSCwdyWOiSQmmZyFykWCOPjl3/HiHFaC5t8C+SP64Qc+U0UzTa28/
u8uvUZ0uekSt+KGScXVP7jsVt1i8AQP/xTCCynsCdmOYpiLoJ793FyG0+VB1lnYz
8uRnHqBqcdizIZMnXUWnfvxV0AGLzMB3RCQLOZhdD8tipnsSJIsOZ12eMPcYFC6H
gJCkzA==
=OI+z
-END PGP SIGNATURE-

Bug#900853: [request-tracker-maintainers] Bug#900853: [request-tracker4] FTBFS: missing fonts in ckeditor

[Dominic Hargreaves]

Control: severity -1 normal
Control: tags -1 + moreinfo

On Wed, Jun 06, 2018 at 12:01:59AM +0200, Bastien ROUCARIÈS wrote:
> Package: request-tracker4
> Severity: serious
> 
> Hi,
> 
> third-party-source/devel/third-party/ckeditor-4.5.3/samples/toolbarconfigurator/font/fontello*
> 
> Does not build from source
> 
> Time to use ckeditor package ?
> 
> Will upload this font ASAP

I don't understand this bug report, please could you
clarify what you think the problem is? The file you referred to is not
used in the package build.

We don't use the ckeditor package because of compatibility concerns.

Dominic.

Bug#900853: [request-tracker-maintainers] Bug#900853: [request-tracker4] FTBFS: missing fonts in ckeditor

[Dominic Hargreaves]

Control: severity -1 normal
Control: tags -1 + moreinfo

On Wed, Jun 06, 2018 at 12:01:59AM +0200, Bastien ROUCARIÈS wrote:
> Package: request-tracker4
> Severity: serious
> 
> Hi,
> 
> third-party-source/devel/third-party/ckeditor-4.5.3/samples/toolbarconfigurator/font/fontello*
> 
> Does not build from source
> 
> Time to use ckeditor package ?
> 
> Will upload this font ASAP

I don't understand this bug report, please could you
clarify what you think the problem is? The file you referred to is not
used in the package build.

We don't use the ckeditor package because of compatibility concerns.

Dominic.

Bug#900739: crashing in toke.c, keyword plugin pointer is left pointing to an XS module that's been unloaded

[Dominic Hargreaves]

On Tue, Jun 05, 2018 at 01:19:13PM +1000, Tony Cook wrote:
> On Mon, Jun 04, 2018 at 09:31:06PM +0100, Dominic Hargreaves wrote:
> > Thanks for the detailed analysis both! Given that the fix is accidental,
> > and not in a released version of perl yet, I'm not sure whether this
> > belongs in a stable update. That said, maybe there is no more correct
> > place for a fix for this issue to live?
> 
> 5.26.2 has the fix as v5.26.1-61-g1e4ebce09b
> 
> maint-5.24 received only a very small set of changed outside of
> Module::CoreList changes and the security fixes for the last release.

Ah, great, I missed that it had already been applied in 5.26.
We (Debian) could consider applying it to our 5.24 if we think it's
a valid fix. The patch appears to apply cleanly.

Cheers,
Dominic.

Report from the Debian Perl Sprint in Hamburg (May 2018)

[Dominic Hargreaves]

Debian Perl Sprint 2018
===

Introduction


3 members of the Debian Perl Group met in Hamburg between May 16 and May 20
2018 as part of the [Mini-DebConf Hamburg] to continue perl development work
for Buster and to work on QA tasks across our 3500+ packages.  The preparation
details can be found on the [sprint wiki].

The participants would like to thank the [Mini-DebConf Hamburg] organizers for
providing the framework for our sprint, [CSC] for sponsoring one of the
attendees, and all donors to the Debian project who helped to cover a large
part of our expenses.

[Mini-DebConf Hamburg]: 
https://wiki.debian.org/DebianEvents/de/2018/MiniDebConfHamburg
[sprint wiki]: https://wiki.debian.org/Sprints/2018/DebianPerlSprint
[CSC]: https://www.csc.fi/en/


Bugs and Packages
=

Overview


Bugs [tagged] with:

* user: debian-p...@lists.debian.org
* usertags: hh2018

A total of 28 bugs were filed/worked on. These include:

* newly filed: 20 bugs
- incl. 5 fixed during the sprint
- incl. 2 RoM bug to drop unmaintained upstream software
* resolved: 9 bugs
- incl. 7 bugs filed during the sprint

[tagged]: 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=hh2018;users=debian-p...@lists.debian.org

Some details


* Bugs around *YAML*: work on regressions, ping the security related bugs,
  upload new upstream release.
- [#862373]\: libyaml-libyaml-perl: Unconditionally instantiates objects
  from yaml data
- [#862475]\: libyaml-syck-perl: Unconditionally instantiates objects from
  yaml data
- [#898561]\: libmarc-transform-perl: FTBFS with libyaml-perl >= 1.25-1
  (test failures)
- [#898578]\: libyaml-perl/1.25-1 breaks rex/1.6.0-1 test suite (FTBFS and
  autopkgtest failure)
* Versioned Provides:
- [#867081]\: autopkgtest: @ no longer pulls in packages with versioned
  Provides
* CI regressions:
- [#898977]\: libnet-dns-zonefile-fast-perl: FTBFS: You are missing
  required modules for NSEC3 support
* Perl 5.28 transition related (see below)

[#862373]: https://bugs.debian.org/862373
[#862475]: https://bugs.debian.org/862475
[#867081]: https://bugs.debian.org/867081
[#898561]: https://bugs.debian.org/898561
[#898578]: https://bugs.debian.org/898578
[#898977]: https://bugs.debian.org/898977

Perl 5.27/5.28
==

src:perl


*perl* 5.27.11 was packaged and uploaded to [perl.debian.net] to allow
for some initial QA prior to the release of perl 5.28. Some
notable details include:

* Started first test rebuilds, see the [Perl-5.28-QA] gobby document.
* Improved performance of rebuild process (disable *lintian* and add
  *eatmydata*).
* Updated the transition scripts in the `pkg-perl/scripts` repo.
* Bugs filed and/or fixed:
- [#898946]\: sbuild: --make-binNMU should imply --no-arch-all
- [#898955]\: dist: Please import new upstream snapshot for metaconfig -X
  support
- [#898989]\: altree: FTBFS with Perl 5.27: _quicksort sub-pragma removed
- [#898994]\: texinfo: Unescaped left brace in regex is deprecated, FTBFS
  with Perl 5.27/5.28
- [#899017]\: libprotocol-acme-perl: FTBFS with newer versions of
  ExtUtils::MakeMaker: cannot remove README.pod
- [#899075]\: libmonitoring-icinga2-client-rest-perl: FTBFS with newer
  versions of ExtUtils::MakeMaker: cannot remove README.pod
- [#899110]\: perl: Provides entries in old versions of perl-modules-5.xx
  and libperl5.xx erroneously satisfy dependencies
- [#899207]\: dist: some script fail syntax checks
* Prepared new Debian package of *dist* package and uploaded to DELAYED/11.
  This newer version is needed to allow perl's build process to continue
rebuilding Configure from its sources: a DFSG requirement.

[perl.debian.net]: http://perl.debian.net/
[Perl-5.28-QA]: https://gobby.debian.org/export/Teams/Perl/Perl-5.28-QA
[#898946]: https://bugs.debian.org/898946
[#898955]: https://bugs.debian.org/898955
[#898989]: https://bugs.debian.org/898989
[#898994]: https://bugs.debian.org/898994
[#899017]: https://bugs.debian.org/899017
[#899075]: https://bugs.debian.org/899075
[#899110]: https://bugs.debian.org/899110
[#899207]: https://bugs.debian.org/899207

Versioned Provides
--

Deploying versioned provides in *src:perl* would simplify numerous
dependencies. For instance, *perl* could `Provides: libtest-simple-perl
(= 1.xx)` and other packages could then only `(Build-)Depends:
libtest-simple-perl (>= 1.xx)`
without needing an alternative dependency on *perl*. See
*debian-policy* bug ([#761219]).

There have been some hurdles with this work, but currently the last
missing piece is support in autopkgtest ([#867081]). This issue was
worked on during the sprint and a work-in-progress [autopkgtest patch]
was submitted to the autopkgtest maintainers.

[#761219]: https://bugs.debian.org/761219
[#867081]: https://bugs.debian.org/867081
[autopkgtest patch]: 

Bug#900739: crashing in toke.c, keyword plugin pointer is left pointing to an XS module that's been unloaded

[Dominic Hargreaves]

On Mon, Jun 04, 2018 at 03:08:19PM +1000, Tony Cook wrote:
> The underlying cause appears to be that libm is referencing
> _LIB_VERSION in libperl.
> 
> I suspect the Oracle client libraries have dlopen()ed a library that
> depends on libm, and that isn't dlclosed() when mod_perl unloads
> DBD::Oracle.
> 
> So the process that leads to the crash:
> 
> 1) Apache starts it configuration check[1], loads mod_perl, which
> implicitly loads libperl (with PL_keyword_plugin set to its default)
> 
> 2) mod_perl runs the startup script, loading Syntax::Keyword::Try
> (which points PL_keyword_plugin at its keyword handler) and
> DBD::Oracle (which presumably dlopen()s a shared object that depends
> on libm).
> 
> 3) Apache unloads mod_perl, which unloads the shared objects for
> Syntax::Keyword::Try and DBD::Oracle.
> 
> Since something still loaded depends on libm, and that depends on the
> _LIB_VERSION symbol defined by libperl, libperl remains loaded.
> 
> PL_keyword_plugin now points to where the Syntax::Keyword::Try keyword
> handler *used* to be.
> 
> 4) Apache loads mod_perl again, and attempts to parse the perl startup
> script.  Since PL_keyword_plugin points to unmapped memory, libperl
> segfaults.
> 
> Without something else depending on libm, libperl would normally be
> unloaded at step 3), and step 4) would reload libperl, with
> PL_keyword_plugin pointing at the default keyword plugin function.
> 
> The patch incidentally prevents libm depending on the _LIB_VERSION
> symbol in libperl, so libperl can unload when mod_perl unloads.

Thanks for the detailed analysis both! Given that the fix is accidental,
and not in a released version of perl yet, I'm not sure whether this
belongs in a stable update. That said, maybe there is no more correct
place for a fix for this issue to live?

Cheers,
Dominic.

Bug#899021: libembperl-perl: FTBFS with Perl 5.27, unmaintained upstream

[Dominic Hargreaves]

On Sun, May 20, 2018 at 10:17:43AM +0200, Dominique Dumont wrote:
> On Friday, 18 May 2018 17:08:38 CEST Dominic Hargreaves wrote:
> > Currently the package has a popcon of inst: 37 / vote: 22 / recent: 1
> > suggesting that it is barely used anywhere. 
> 
> Reading its features, I think this module may have been a good idea when it 
> was created back in 1997, but I'm afraid it's now completely obsoleted by 
> modern JavaScript frameworks.  
> 
> > So I suggest that rather than
> > spending any more time maintaining it, we remove it from Debian.
> 
> Agreed.

I asked the Embperl mailing list about this, and although noone
who actually uses the Embperl Debian packages spoke up, there was
definitely some interest in keeping it alive. I have hopefully reflected
the views of pkg-perl here:

http://mail-archives.apache.org/mod_mbox/perl-embperl/201805.mbox/browser

Cheers,
Dominic.

Bug#899021: libembperl-perl: FTBFS with Perl 5.27, unmaintained upstream

[Dominic Hargreaves]

On Sun, May 20, 2018 at 10:17:43AM +0200, Dominique Dumont wrote:
> On Friday, 18 May 2018 17:08:38 CEST Dominic Hargreaves wrote:
> > Currently the package has a popcon of inst: 37 / vote: 22 / recent: 1
> > suggesting that it is barely used anywhere. 
> 
> Reading its features, I think this module may have been a good idea when it 
> was created back in 1997, but I'm afraid it's now completely obsoleted by 
> modern JavaScript frameworks.  
> 
> > So I suggest that rather than
> > spending any more time maintaining it, we remove it from Debian.
> 
> Agreed.

I asked the Embperl mailing list about this, and although noone
who actually uses the Embperl Debian packages spoke up, there was
definitely some interest in keeping it alive. I have hopefully reflected
the views of pkg-perl here:

http://mail-archives.apache.org/mod_mbox/perl-embperl/201805.mbox/browser

Cheers,
Dominic.

[Bug 1774717] Re: Saying goodbye to search.cpan.org

[Dominic Hargreaves]

Here is a relevant thread on debian-perl: https://lists.debian.org
/debian-perl/2018/05/msg00046.html

In short: yes, but there is no urgency. I don't think a bug on perl in
ubuntu is needed to track this.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1774717

Title:
  Saying goodbye to search.cpan.org

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/perl/+bug/1774717/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Touch-packages] [Bug 1774717] Re: Saying goodbye to search.cpan.org

[Dominic Hargreaves]

Here is a relevant thread on debian-perl: https://lists.debian.org
/debian-perl/2018/05/msg00046.html

In short: yes, but there is no urgency. I don't think a bug on perl in
ubuntu is needed to track this.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to perl in Ubuntu.
https://bugs.launchpad.net/bugs/1774717

Title:
  Saying goodbye to search.cpan.org

Status in perl package in Ubuntu:
  New

Bug description:
  search.cpan.org is being retired and will transparently redirect to
  the new https://metacpan.org/ replacement site.  Are there any plans
  to update the URLs like FreeBSD did?
  https://svnweb.freebsd.org/ports?view=revision=470993

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/perl/+bug/1774717/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Accepted dist 1:3.5-236-0.1 (source) into unstable

[Dominic Hargreaves]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sun, 20 May 2018 22:35:58 +0200
Source: dist
Binary: dist
Architecture: source
Version: 1:3.5-236-0.1
Distribution: unstable
Urgency: medium
Maintainer: Manoj Srivastava 
Changed-By: Dominic Hargreaves 
Description:
 dist   - Tools for developing, maintaining and distributing software
Closes: 898955 899207
Changes:
 dist (1:3.5-236-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream snapshot (Closes: #898955)
   * Fix some syntax errors in various scripts (Closes: #899207)
   * Restore missing dependency libperl4-corelibs-perl
   * Fix Lintian error by removing Build-Depends-Indep: dpkg-dev
Checksums-Sha1:
 2d72be0a6c8fe7c175ed8c21e921f54ecf743d2a 1837 dist_3.5-236-0.1.dsc
 a41bbe1fe0db0d171fd498c80ded9304fa8b70d5 559784 dist_3.5-236.orig.tar.gz
 fdcf142ec5c4c188f203043ddb66f8423fcbdd38 48324 dist_3.5-236-0.1.diff.gz
 a9f79f8782fc5857a0175f095cee11fc860f 4841 dist_3.5-236-0.1_source.buildinfo
Checksums-Sha256:
 645ad277a87c5df6005ae7befbb08c3913d317ed3e951bdc6f5b0ec76e4d7148 1837 
dist_3.5-236-0.1.dsc
 05fa4f6ea9f05adf8f577699cb3f5b88b20dfce86b0d0cebbfb072fe5933d38f 559784 
dist_3.5-236.orig.tar.gz
 688b8d1d2c563f71b53469b287621966db308fcb4bcac5c3edc5f7c335f8d1f3 48324 
dist_3.5-236-0.1.diff.gz
 33fc05ffed7479b4ee78ce7b0aa7248763aed7b03824176a59dccf3184cb 4841 
dist_3.5-236-0.1_source.buildinfo
Files:
 9a66522f2de5322090cf5d0ed01f4c8c 1837 devel optional dist_3.5-236-0.1.dsc
 29bb826109ae34e8a7e34b33c796dc6f 559784 devel optional dist_3.5-236.orig.tar.gz
 49d0267128bb4a187b860201a7e3a696 48324 devel optional dist_3.5-236-0.1.diff.gz
 9b5a82da58bee46f9205c448214c9cce 4841 devel optional 
dist_3.5-236-0.1_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJBBAEBCAArFiEEy0llJ/kAnyscGnbawAV+cU1pT7IFAlsB388NHGRvbUBlYXJ0
aC5saQAKCRDABX5xTWlPstjfD/9v4MPw5v0SEMYhpvJ+yJeE8hQZeD04MPro2bia
0jjvSmwetPmESl0tQzpQKV5CWFll36tJ6tJEbmCNVSLBIbuuqyHuDOVLLzM5/MWo
ilshtIZAF71Qnmwwb+IzfYikyCHNhiix3W1rndMmqP6ONPQyB6H77EU9y3g0b0mm
fP7/9Jk1ONw04PXfY/LbBch/IMMhF82+VqobBZxFBqLUQx6LWG8v7SOnjqaLDYGm
YtYZgWf22PBelZUBTSQiJduHdlGxkAbkhC0hgfTGl1O7JnKGKBNeA3wHyz8cUn6U
yQDZk/ivQ6ikgIKPrFp74n2Jnl667MX44Oaa4XB5D5YiRwWZHb01jIrmq0xVaK/m
GICayT25KEe942BPLGNdYbRh7CXLskAw3YU9/c9+OZXXc/uvOZV6RR9WriRa015F
72RvYuQbmXsWjgMM8YKtCrgQw0ITwLlaZUB7GjFe2fhI3yE1i0tElfOCzfbw12Nb
5TV0Wy4n8N9pwCICOK4B8mcWflpszrMAi4W7mvUUDpuOXEhKBC3u98ENg6I9XKGb
TyviBlYa7Iv5XENIT2M2rFh/k1W31s1GLhNF+5/xZQ+4GuT/oTY2ztya+anzIeC0
GwEAoq2PpZCsG0r0OQ8MijIGQNVJ/0hN/fPjeh5L2/UbNo0xvgB3cWC1NOtVD3Ia
nOukgA==
=cFdq
-END PGP SIGNATURE-

Re: Proposal to remove Embperl from Debian

[Dominic Hargreaves]

Hi Gerald,

There is no huge rush to make any change in Debian. Right now it's blocked
from being released by this bug:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899021

That status can be changed up until the freeze (which is not for several
months), or until we decide to remove it from Debian unstable completely.
However I think it will be difficult to argue that it should remain in
the next stable release without some movement on the upstream side
towards supporting current perl environments.

Best,
Dominic.

On Sun, May 27, 2018 at 05:44:30PM +0200, Gerald Richter wrote:
> Hi,
> 
> I know it's some years ago that I did the last release of Embperl. Also I 
> personally still use it in our company, I didn't had the time to prepare new 
> releases.
> 
> As Dominic already wrote it's usually not much effort to adapt it to a new 
> Perl version, but setting up the test environment takes time.
> 
> So if anybody can help with testing, I would like to keep Embperl working and 
> also as part of Debian (any other distros).
> 
> Dominic, currently I have only rare access to my email. So if possible, can 
> we shift the decission how to continue until mid of june?
> 
> Thanks for all your work you put in Debian and Embperl 
> 
> Regards
> 
> Gerald
> 
> 
> - Ursprüngliche Mail -
> Von: "Dominic Hargreaves" 
> An: embperl@perl.apache.org
> Gesendet: Montag, 21. Mai 2018 12:29:49
> Betreff: Proposal to remove Embperl from Debian
> 
> Hi,
> 
> As you can see from the message below, we are considering removing Embperl
> from Debian because of concerns about not being actively maintained. We
> have had to patch it several times to cope with changes in newer upstream
> versions over the past few years, and we don't think it is really being
> used much in Debian any more.
> 
> Interested if anyone has any thoughts on this from the user or upstream
> dev perspective.
> 
> Best,
> Dominic.
> 
> - Forwarded message from Dominic Hargreaves  -
> 
> Date: Fri, 18 May 2018 17:08:38 +0200
> From: Dominic Hargreaves 
> To: sub...@bugs.debian.org
> Subject: Bug#899021: libembperl-perl: FTBFS with Perl 5.27, unmaintained
>   upstream
> Reply-To: Dominic Hargreaves , 899...@bugs.debian.org
> 
> Source: libembperl-perl
> Version: 2.5.0-11
> Severity: serious
> Justification: unmaintained upstream, and will shortly break in Debian
> X-Debbugs-Cc: debian-p...@lists.debian.org
> User: debian-p...@lists.debian.org
> Usertags: perl-5.28-transition hh2018
> 
> The upstream version of this package has not worked since 5.18, and we
> have had to apply several fixes in Debian since. The build has now
> broken again with Perl 5.27:
> 
> http://perl.debian.net/rebuild-logs/perl-5.27-throwaway/libembperl-perl_2.5.0-11/libembperl-perl_2.5.0-11_amd64-2018-05-18T08:09:28Z.build
> 
> The problem in this case might not be that hard to fix, but I have
> been consisdering deprecating/removing this for some time, as there is
> a limit to how long we can be de facto upstream for this type of
> package.
> 
> Currently the package has a popcon of inst: 37 / vote: 22 / recent: 1
> suggesting that it is barely used anywhere. So I suggest that rather than
> spending any more time maintaining it, we remove it from Debian.
> 
> CC to debian-perl to get wider exposure of the proposal.
> 
> Cheers,
> Dominic.
> 
> 
> 
> - End forwarded message -
> 
> -
> To unsubscribe, e-mail: embperl-unsubscr...@perl.apache.org
> For additional commands, e-mail: embperl-h...@perl.apache.org
> 
> -
> To unsubscribe, e-mail: embperl-unsubscr...@perl.apache.org
> For additional commands, e-mail: embperl-h...@perl.apache.org
> 
> 

-
To unsubscribe, e-mail: embperl-unsubscr...@perl.apache.org
For additional commands, e-mail: embperl-h...@perl.apache.org

Re: [Pkg-sysvinit-devel] Late migration request: pkg-sysvinit-devel

[Dominic Hargreaves]

On Thu, May 24, 2018 at 06:42:17PM +0100, Ian Jackson wrote:
> It turns out that IO was subscribed to sysvinit via the package
> tracker, not via the alioth list which was listed in the Maintainer.
> 
> For now I think we should migrate this list:
>pkg-sysvinit-devel
> 
> I will be the listowner, I guess.

Sure, this has been done.

Cheers,
Dominic.

___
Pkg-sysvinit-devel mailing list
Pkg-sysvinit-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-sysvinit-devel

Bug#887551: [request-tracker-maintainers] Bug#887542: libemail-address-list-perl depends on libemail-address-perl

[Dominic Hargreaves]

On Wed, May 23, 2018 at 06:57:23PM +0200, gregor herrmann wrote:
> On Sun, 20 May 2018 12:41:57 +0200, Pali Rohár wrote:
> 
> > Perl module Email::Address::List is probably not possible to fix. But
> > perl module Email::Address::XS already provides methods for parsing
> > list/groups of email addresses -- functionality which is provided by
> > Email::Address::List. Therefore applications which depends on
> > Email::Address::List can be rewritten to use Email::Address::XS.
> 
> Thanks for this update.
> 
> libemail-address-list-perl has one reverse dependency:
> request-tracker4.
> 
> Cc'ing the maintainers.

The bug about that is here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887551

It looks like a lot of other rdep must have gone away since I wrote
the last update on that mail. Then again, as long as it is marked
deprecated, perhaps the cost of keeping it in Debian until that bug
is fixed is not that high?

Dominic.

Re: Proposal to remove Embperl from Debian

[Dominic Hargreaves]

If you're building Apache from source, you'll also be building
Embperl from source too - in which case, the plans Debian has
to remove the packages will not have any direct affect on you.

Cheers,
Dominic.

On Mon, May 21, 2018 at 12:13:09PM -0700, Neil Gunton wrote:
> Thanks, I am aware of the end of support for Wheezy. To be honest I have
> been resisting upgrading because a) it tends to be very disruptive to a
> production server for a live website that is used by lots of people (I
> can't recall one major in-place upgrade that ever went smoothly, so
> usually a complete re-install is needed), and b) I have been unnerved by
> some of the debate I have seen about the move to systemd. I don't know
> much about it myself, but I have heard from people who do seem to know
> about it that it was quite controversial, to say the least. I don't like
> monolithic systems that pull everything else in, and it seems like that
> is the direction systemd is going in. I've been thinking about moving
> over to Devuan, but I haven't checked on the status of that project in a
> while. To be honest I have more pressing things to be worrying about
> usually, and since Wheezy is very stable, it's been low on the list of
> priorities to upgrade. If it works... also, I get the thing about
> security upgrades, but I do have my box pretty well locked down in terms
> of firewall rules, I disable most services that I don't use and I build
> my own Apache from latest source, and MySQL is hidden behind the
> firewall. I know stuff could come up with sendmail or bind, but you do
> your best to keep up.
> 
> Thanks,
> 
> Neil
> 
> Dominic Hargreaves wrote:
> > Well, your Debian Wheezy box will probably continue to run just fine with
> > Embperl :)
> > 
> > Seriously though, you should be aware that that release is nearly out
> > of long-term support, and you should be planning an upgrade to Stretch
> > - an excellent opportunity to reap the benefits of our continued attempts
> > to keep things working and not be running a release without security
> > support.
> > 
> > As you say, it would be good to hear if there are any plans from anyone
> > who can actively pursue maintenance of Embperl (which implies keeping it
> > working on new perls) who has a stake in it - as there is, I think,
> > noone from the Debian side in this position.
> > 
> > Thanks for the feedback - it is appreciated.
> > 
> > Best,
> > Dominic.
> > 
> > On Mon, May 21, 2018 at 09:06:16AM -0700, Neil Gunton wrote:
> >> I am still actively using Embperl on my websites, fwiw. My main site is
> >> the largest collection of bicycle tour journals in the world. I may not
> >> show up in your statistics, but I just wanted to add one voice to the
> >> "please keep it" side. I really like Embperl, it just works and has done
> >> so for the last 18 years for me. I use Debian Wheezy currently, and my
> >> systems don't tend to change much or very often. It's true that Embperl
> >> isn't as actively developed as it used to be, but as with many things
> >> Perl, it is still used by some people in systems that have been around
> >> for a good long while, because they just do the job they are intended to
> >> do and work well, so there's no need for constant churn. I would hope
> >> that Gerald Richter and/or others would at least keep the package up to
> >> date so it can continue to be included in Debian, because being taken
> >> out completely seems like another step toward complete abandonment. If
> >> it's not too much trouble to keep it in, I'd ask for that to happen. The
> >> users might not be vocal or active in development of the package (I'm
> >> not), but it is used and has been for a long time.
> >>
> >> My website is called crazyguyonabike, it's that dot com if anyone's
> >> interested. Not facebook by any means, but it's an active journaling
> >> website and like I said the largest in the world for bicycle tour
> >> journals. I'm also actively working on expansions to the site into other
> >> topics, so this is not a dead issue for me. I plan on continuing to use
> >> Embperl on new sites going forward.
> >>
> >> Thanks for your consideration,
> >>
> >> Neil Gunton
> >>
> >> Dominic Hargreaves wrote:
> >>> Hi,
> >>>
> >>> As you can see from the message below, we are considering removing Embperl
> >>> from Debian because of concerns about not being actively maintained. We
> >>> have had to patch it several times to cope with changes in newer upstream

Re: Proposal to remove Embperl from Debian

[Dominic Hargreaves]

Well, your Debian Wheezy box will probably continue to run just fine with
Embperl :)

Seriously though, you should be aware that that release is nearly out
of long-term support, and you should be planning an upgrade to Stretch
- an excellent opportunity to reap the benefits of our continued attempts
to keep things working and not be running a release without security
support.

As you say, it would be good to hear if there are any plans from anyone
who can actively pursue maintenance of Embperl (which implies keeping it
working on new perls) who has a stake in it - as there is, I think,
noone from the Debian side in this position.

Thanks for the feedback - it is appreciated.

Best,
Dominic.

On Mon, May 21, 2018 at 09:06:16AM -0700, Neil Gunton wrote:
> I am still actively using Embperl on my websites, fwiw. My main site is
> the largest collection of bicycle tour journals in the world. I may not
> show up in your statistics, but I just wanted to add one voice to the
> "please keep it" side. I really like Embperl, it just works and has done
> so for the last 18 years for me. I use Debian Wheezy currently, and my
> systems don't tend to change much or very often. It's true that Embperl
> isn't as actively developed as it used to be, but as with many things
> Perl, it is still used by some people in systems that have been around
> for a good long while, because they just do the job they are intended to
> do and work well, so there's no need for constant churn. I would hope
> that Gerald Richter and/or others would at least keep the package up to
> date so it can continue to be included in Debian, because being taken
> out completely seems like another step toward complete abandonment. If
> it's not too much trouble to keep it in, I'd ask for that to happen. The
> users might not be vocal or active in development of the package (I'm
> not), but it is used and has been for a long time.
> 
> My website is called crazyguyonabike, it's that dot com if anyone's
> interested. Not facebook by any means, but it's an active journaling
> website and like I said the largest in the world for bicycle tour
> journals. I'm also actively working on expansions to the site into other
> topics, so this is not a dead issue for me. I plan on continuing to use
> Embperl on new sites going forward.
> 
> Thanks for your consideration,
> 
> Neil Gunton
> 
> Dominic Hargreaves wrote:
> > Hi,
> > 
> > As you can see from the message below, we are considering removing Embperl
> > from Debian because of concerns about not being actively maintained. We
> > have had to patch it several times to cope with changes in newer upstream
> > versions over the past few years, and we don't think it is really being
> > used much in Debian any more.
> > 
> > Interested if anyone has any thoughts on this from the user or upstream
> > dev perspective.
> > 
> > Best,
> > Dominic.
> > 
> > - Forwarded message from Dominic Hargreaves <d...@earth.li> -
> > 
> > Date: Fri, 18 May 2018 17:08:38 +0200
> > From: Dominic Hargreaves <d...@earth.li>
> > To: sub...@bugs.debian.org
> > Subject: Bug#899021: libembperl-perl: FTBFS with Perl 5.27, unmaintained
> > upstream
> > Reply-To: Dominic Hargreaves <d...@earth.li>, 899...@bugs.debian.org
> > 
> > Source: libembperl-perl
> > Version: 2.5.0-11
> > Severity: serious
> > Justification: unmaintained upstream, and will shortly break in Debian
> > X-Debbugs-Cc: debian-p...@lists.debian.org
> > User: debian-p...@lists.debian.org
> > Usertags: perl-5.28-transition hh2018
> > 
> > The upstream version of this package has not worked since 5.18, and we
> > have had to apply several fixes in Debian since. The build has now
> > broken again with Perl 5.27:
> > 
> > http://perl.debian.net/rebuild-logs/perl-5.27-throwaway/libembperl-perl_2.5.0-11/libembperl-perl_2.5.0-11_amd64-2018-05-18T08:09:28Z.build
> > 
> > The problem in this case might not be that hard to fix, but I have
> > been consisdering deprecating/removing this for some time, as there is
> > a limit to how long we can be de facto upstream for this type of
> > package.
> > 
> > Currently the package has a popcon of inst: 37 / vote: 22 / recent: 1
> > suggesting that it is barely used anywhere. So I suggest that rather than
> > spending any more time maintaining it, we remove it from Debian.
> > 
> > CC to debian-perl to get wider exposure of the proposal.
> > 
> > Cheers,
> > Dominic.
> > 
> > 
> > 
> > - End forwarded message -
> > 
> > -
> > To unsubscribe, e-mail: embperl-unsubscr...@perl.apache.org
> > For additional commands, e-mail: embperl-h...@perl.apache.org
> > 
> 
> 

-
To unsubscribe, e-mail: embperl-unsubscr...@perl.apache.org
For additional commands, e-mail: embperl-h...@perl.apache.org

Proposal to remove Embperl from Debian

[Dominic Hargreaves]

Hi,

As you can see from the message below, we are considering removing Embperl
from Debian because of concerns about not being actively maintained. We
have had to patch it several times to cope with changes in newer upstream
versions over the past few years, and we don't think it is really being
used much in Debian any more.

Interested if anyone has any thoughts on this from the user or upstream
dev perspective.

Best,
Dominic.

- Forwarded message from Dominic Hargreaves <d...@earth.li> -

Date: Fri, 18 May 2018 17:08:38 +0200
From: Dominic Hargreaves <d...@earth.li>
To: sub...@bugs.debian.org
Subject: Bug#899021: libembperl-perl: FTBFS with Perl 5.27, unmaintained
upstream
Reply-To: Dominic Hargreaves <d...@earth.li>, 899...@bugs.debian.org

Source: libembperl-perl
Version: 2.5.0-11
Severity: serious
Justification: unmaintained upstream, and will shortly break in Debian
X-Debbugs-Cc: debian-p...@lists.debian.org
User: debian-p...@lists.debian.org
Usertags: perl-5.28-transition hh2018

The upstream version of this package has not worked since 5.18, and we
have had to apply several fixes in Debian since. The build has now
broken again with Perl 5.27:

http://perl.debian.net/rebuild-logs/perl-5.27-throwaway/libembperl-perl_2.5.0-11/libembperl-perl_2.5.0-11_amd64-2018-05-18T08:09:28Z.build

The problem in this case might not be that hard to fix, but I have
been consisdering deprecating/removing this for some time, as there is
a limit to how long we can be de facto upstream for this type of
package.

Currently the package has a popcon of inst: 37 / vote: 22 / recent: 1
suggesting that it is barely used anywhere. So I suggest that rather than
spending any more time maintaining it, we remove it from Debian.

CC to debian-perl to get wider exposure of the proposal.

Cheers,
Dominic.



- End forwarded message -

-
To unsubscribe, e-mail: embperl-unsubscr...@perl.apache.org
For additional commands, e-mail: embperl-h...@perl.apache.org

[Pkg-postgresql-public] Bug#899209: postgresql-10: FTBFS with perl 5.27: command failed: "psql" [...]

[Dominic Hargreaves]

Source: postgresql-10
Version: 10.4-2
Severity: important
User: debian-p...@lists.debia.org
Usertags: perl-5.28-transition hh2018

In the process of test-building packages against the next version of
perl (5.27.11, to be released as 5.28.0) we found the following failure
in postgreql-10:

2018-05-17 20:01:44.556 UTC [22629] pg_regress ERROR:  
2018-05-17 20:01:44.556 UTC [22629] pg_regress CONTEXT:  while running Perl 
initialization
2018-05-17 20:01:44.556 UTC [22629] pg_regress STATEMENT:  CREATE EXTENSION IF 
NOT EXISTS "plperl"

The complete log, should it be of interest, is at

http://perl.debian.net/rebuild-logs/perl-5.27/postgresql-10_10.4-2/postgresql-10_10.4-2+b1_amd64-2018-05-17T19:50:35Z.build

This bug will become RC nearer the time of the perl 5.28 transition
which is yet to be scheduled.

Note that perl 5.27 is not currently available, even in experimental, just
yet, but we thought that an early heads up would be useful.

If you need to test on perl 5.27, please have a look at
 for a test repository and don't hesitate to
get in touch if you need more information.

Cheers,
Dominic.

___
pkg-postgresql-public mailing list
pkg-postgresql-public@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-postgresql-public

Bug#899209: postgresql-10: FTBFS with perl 5.27: command failed: "psql" [...]

[Dominic Hargreaves]

Source: postgresql-10
Version: 10.4-2
Severity: important
User: debian-p...@lists.debia.org
Usertags: perl-5.28-transition hh2018

In the process of test-building packages against the next version of
perl (5.27.11, to be released as 5.28.0) we found the following failure
in postgreql-10:

2018-05-17 20:01:44.556 UTC [22629] pg_regress ERROR:  
2018-05-17 20:01:44.556 UTC [22629] pg_regress CONTEXT:  while running Perl 
initialization
2018-05-17 20:01:44.556 UTC [22629] pg_regress STATEMENT:  CREATE EXTENSION IF 
NOT EXISTS "plperl"

The complete log, should it be of interest, is at

http://perl.debian.net/rebuild-logs/perl-5.27/postgresql-10_10.4-2/postgresql-10_10.4-2+b1_amd64-2018-05-17T19:50:35Z.build

This bug will become RC nearer the time of the perl 5.28 transition
which is yet to be scheduled.

Note that perl 5.27 is not currently available, even in experimental, just
yet, but we thought that an early heads up would be useful.

If you need to test on perl 5.27, please have a look at
 for a test repository and don't hesitate to
get in touch if you need more information.

Cheers,
Dominic.

Bug#899207: dist: some script fail syntax checks

[Dominic Hargreaves]

Package: dist
Version: 1:3.5-36.0001-3

As reported upstream 
several of the Perl scripts shipped in this package fail syntax checks.
Additionally, the Depends on libperl4-corelibs-perl, also needed for
several of the scripts, has been removed.

I will include fixes for these isuses in the (delayed) NMU I'm planning
to upload shortly.

Thanks,
Dominic.